Home Cloud Computing PCI and the Cloud - are they oil and water?


JUser: :_load: Unable to load user with ID: 3018

PCI and the Cloud - are they oil and water?

Sometimes it seems as though we finally achieve PCI compliance only to have 'management' change the landscape and throw the 'cloud' curveball at us.  Will PCI and clouds mix or are they oil and water?

For a credit card processing organization, it's (relatively) easy to achieve PCI compliance when they own pretty-well all of the computers and plumbing right up to the secure connection to the payment gateway.

"Great, we can rest a little easy until the next audit," says the CSO.

Next thing he hears is that the Board and the CIO have decided to make his sunny day exceedingly cloudy.

"We're going to outsource our back-end systems to a cloud provider; we're looking to see who's cheapest."

According to leading Australian specialist security information consultancy Pure Hacking, The challenges of transparency and independent verification of compliance standards are two major issues which organisations need to address prior to moving credit card storage and transaction facilities to a public cloud.  They suggest that while the costs of daily operations might well be best reduced by sending them into the cloud, there is little but heartache for any plan to do similar for card processing.

"Solely relying on public cloud computing systems for processing credit card information and transactions is literally a game of probability and risk. In the end the likelihood of an attack against a public cloud that holds such high value information is extremely probable. The security posture of your public cloud vendor against such attacks is key to your ability to protect your client's data privacy and business functionality," said Ty Miller, CTO, Pure Hacking.

See the next page for some suggestions on considering whether or not to mix your PCI with the cloud.

Organisations externalise their information to the cloud making it extremely difficult to assess and validate the PCI compliance levels of the individual cloud provider. In all likelihood, there are probably a large number of cloud providers entirely unable to provide the necessary guarantees required to assess top-to-bottom PCI compliance.

Miller continued, "The incidence of malicious attacks on public cloud services is on the rise. Credit card information, plus the identifiable data that is used to verify that credit card is both a valuable and attractive target. If you can achieve the full identity of the card holder or thousands of card holders in an attack, the hacker has increased the profitability level of the attack. This is a valid security concern for those organisations that rely on credit card transactions to successfully stay in business or on PCI protocols when they are considering a move to a public cloud. 

Pure hacking offers a few recommendations for achieving PCI compliance in a public cloud:


  • Check that your cloud provider actually knows how to spell PCI.  Beyond that, make sure that the agreements spell out full disclosure; if they vendor knows or suspects they are not complaint, they must tell you.
  • Confirm that the cloud provider is provably PCI complaint.  Ensure that every part of their system is included in your regular audit
  • Extend your PCI compliance budget to include the extra requirements of testing the cloud provider and ensure they receive sufficient focus
  • Be aware that having made the decision to move card processing to the cloud, reversing the decision will be costly; in other words, double and triple check your decision to go to the cloud.



Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?