What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

The only constant is change. Earlier this month, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard).  In it are a few key focus areas that will directly affect Cloud Service Providers (CSPs), which is why it makes good business sense to start thinking about version 3.0 right now. While some of the rules aren’t required for existing implementations until 2015, smart CSPs understand that customers will certainly be asking about the changes in 2014.

The most important change for CSPs in PCI DSS 3.0 is that they are required to provide a written agreement (or acknowledgement) to their customers of their explicit responsibilities for supporting the standard. PCI DSS 2.0 had some requirements for service providers, but 3.0 will require that CSPs develop specific, contract-level documentation of their commitments. The idea here is to eliminate the expensive finger-pointing exercise many organizations go through when something as simple as a disaster recovery or backup site, or when an audit finds expected portions of the standard are not met, or in the investigations following a data breach.

Another important change in 3.0 is the need for explicit definitions around the shared responsibility of service providers who provide PCI DSS-compliant environments and services to their customers. There will be no getting off the hook anymore.

This version of the PCI standard will also cause CSPs to take a look at the rest of their compliance offering-related infrastructure and processes — and sooner is better than later.  Here’s one change to watch for: the pen test requirement.  With version 3.0, the cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments.  It is critical that CSPs either work this requirement into their process and infrastructure set to make sure that the environment matches the new data security requirements.

There are also a host of smaller changes and clarifications that will be important to CSPs and thus deserve at least a mention here.  They include:

  • Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain;
  • Specific clarifications around the use of encryption and cryptographic keys;
  • Account access procedures that limit CSP access to card payment infrastructure;
  • More detailed guidance about allowed password use;
  • More focused description of the limits of privileged and standard user access controls;
  • New access guidelines for CSPs that have remote access to their customers’ payment card data environments; and
  • New physical access requirements for onsite personnel
  • Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access

As I said before, these changes do not need to be implemented until 2015, but affected CSPs should develop plans well ahead of time to ensure they can meet the new requirements. Doing so will give them a clear first-mover advantage in an increasingly security-focused market.

So, whatever your Cloud service offerings, getting ahead of the new PCI DSS requirements will enable you to both differentiate your offerings from the competition and give your customers greater comfort on the cloud security front. Don’t drag your heels addressing the additional requirements; instead, embrace the new PCI DSS standard in ways that will drive new business and also expand opportunities with your existing customers.

c-j-radford

By C.J Radford,

C.J. Radford joined Vormetric in March 2013 as vice president of cloud, a newly created leadership position that is tasked with leading the company’s cloud strategy and growth via strategic partnerships with cloud service providers (CSPs). He came to Vormetric from Symantec Corporation, where he spent more than five years driving business development and new strategic growth initiatives within the rapidly evolving CSP market. He holds a bachelor’s degree in business administration from the University of Oregon and an MBA from the University of California, Berkeley.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

One Response to What PCI DSS 3.0 Means For Cloud Service Providers

How Will The Internet of Things Affect The Business World?

How Will The Internet of Things Affect The Business World?

Internet of Things and the Business World? Experts predict that by 2020, the Internet of Things will have a market greater than $1 Trillion, yet despite it being the new buzzword, many people have no idea how this predicted revolution will shape the business world. We’ve all heard predictions of various appliances with sensors, wearable…

The Concept Of Securing IoT To Secure Your Building

The Concept Of Securing IoT To Secure Your Building

Securing IoT Ah, security. It is the dulcet tone of a symphony that we play over and over in the IT world. IoT (Internet of Things) and the myriad of connected devices allow us some intriguing security options. For example, in a mesh array of sensors, you could effectively force users to correctly identify themselves…

Vendors To Enter The Cyber Security Game

Vendors To Enter The Cyber Security Game

IT Regulatory Compliance as the Next Big Focus for Cloud Vendors Back in October 2014, Defense Information Systems Agency (DISA) submitted a public request for information, calling for the assessment of the marketplace’s ability to “provide cloud ecosystems and services in two integration models that place vendor cloud services on DoD networks for use by…

Immune Systems: Information Security And Risk In 2016

Immune Systems: Information Security And Risk In 2016

Information Security And Risk C-suite executives have woken up to the threat posed by data theft, denial-of-service attacks and vulnerable systems. In 2015, for example, a series of high-profile cases illustrated the degree to which such attacks can damage a company’s reputation, brand and, ultimately, profits. Where businesses once undervalued cybersecurity, considering it the domain of CIOs and…

‘Tis The Season To Be Deploying Sensors

‘Tis The Season To Be Deploying Sensors

Deploying Sensors Overhead the Christmas Drones are buzzing, delivering packages to the good girls and boys. Back at the main location people are analyzing the good and bad data collected over the year about each person. Data analytics that is creating a list, gathering all the data and then checking the data on that list…

The Open Performance Grid: Utopia Comes To Tech

The Open Performance Grid: Utopia Comes To Tech

The Open Performance Grid “For what greater wealth can there be than cheerfulness, peace of mind, and freedom from anxiety?” So wrote the English author and philosopher Sir Thomas More in his novel, Utopia, almost 500 years ago. More’s utopian dreams continue to thrive in one guise or another to the present day; in the…

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises The surface costs might give you pause, but the cost of diminishing your differentiators is far greater. Will a shift to the cloud save you money? Potential savings are historically the main business driver cited when companies move to the cloud, but it shouldn’t be viewed as a cost-saving exercise. There…

CloudTweaks is recognized as one of the leading influencers in cloud computing, infosec, big data and the internet of things (IoT) information. Our goal is to continue to build our growing information portal by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Sponsor