The Lighter Side Of The Cloud – Accountability
The Lighter Side Of The Cloud – BYOD
The Lighter Side Of The Cloud – Telecommute
The Lighter Side Of The Cloud – Thin Client
What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

The only constant is change. Earlier this month, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard).  In it are a few key focus areas that will directly affect Cloud Service Providers (CSPs), which is why it makes good business sense to start thinking about version 3.0 right now. While some of the rules aren’t required for existing implementations until 2015, smart CSPs understand that customers will certainly be asking about the changes in 2014.

The most important change for CSPs in PCI DSS 3.0 is that they are required to provide a written agreement (or acknowledgement) to their customers of their explicit responsibilities for supporting the standard. PCI DSS 2.0 had some requirements for service providers, but 3.0 will require that CSPs develop specific, contract-level documentation of their commitments. The idea here is to eliminate the expensive finger-pointing exercise many organizations go through when something as simple as a disaster recovery or backup site, or when an audit finds expected portions of the standard are not met, or in the investigations following a data breach.

Another important change in 3.0 is the need for explicit definitions around the shared responsibility of service providers who provide PCI DSS-compliant environments and services to their customers. There will be no getting off the hook anymore.

This version of the PCI standard will also cause CSPs to take a look at the rest of their compliance offering-related infrastructure and processes — and sooner is better than later.  Here’s one change to watch for: the pen test requirement.  With version 3.0, the cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments.  It is critical that CSPs either work this requirement into their process and infrastructure set to make sure that the environment matches the new data security requirements.

There are also a host of smaller changes and clarifications that will be important to CSPs and thus deserve at least a mention here.  They include:

  • Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain;
  • Specific clarifications around the use of encryption and cryptographic keys;
  • Account access procedures that limit CSP access to card payment infrastructure;
  • More detailed guidance about allowed password use;
  • More focused description of the limits of privileged and standard user access controls;
  • New access guidelines for CSPs that have remote access to their customers’ payment card data environments; and
  • New physical access requirements for onsite personnel
  • Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access

As I said before, these changes do not need to be implemented until 2015, but affected CSPs should develop plans well ahead of time to ensure they can meet the new requirements. Doing so will give them a clear first-mover advantage in an increasingly security-focused market.

So, whatever your Cloud service offerings, getting ahead of the new PCI DSS requirements will enable you to both differentiate your offerings from the competition and give your customers greater comfort on the cloud security front. Don’t drag your heels addressing the additional requirements; instead, embrace the new PCI DSS standard in ways that will drive new business and also expand opportunities with your existing customers.

c-j-radford

By C.J Radford,

C.J. Radford joined Vormetric in March 2013 as vice president of cloud, a newly created leadership position that is tasked with leading the company’s cloud strategy and growth via strategic partnerships with cloud service providers (CSPs). He came to Vormetric from Symantec Corporation, where he spent more than five years driving business development and new strategic growth initiatives within the rapidly evolving CSP market. He holds a bachelor’s degree in business administration from the University of Oregon and an MBA from the University of California, Berkeley.

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!

One Response to What PCI DSS 3.0 Means For Cloud Service Providers

FREE! POPULAR RESEARCH TOOLS

Popular Archives

Is Docker The Next Big Thing?

Is Docker The Next Big Thing?

Is Docker The Next Big Thing? We often hear that a particular product or idea is going to be the ‘next big thing’, and analysts and commentators are frequently falling over themselves to predict an emerging trend or developing idea. In the case of Docker, it might actually be justified. The open source technology is…

Five Signs The Internet of Things Is About To Explode

Five Signs The Internet of Things Is About To Explode

The Internet of Things Is About To Explode By 2020, Gartner estimates that the Internet of Things (IoT) will generate incremental revenue exceeding $300 billion worldwide. It’s an astoundingly large figure given that the sector barely existed three years ago. We are now rapidly evolving toward a world in which just about everything will become…

Recent

Cloud Infographic – Top Vulnerable Applications

Cloud Infographic – Top Vulnerable Applications

Top Vulnerable Applications  As you use the Internet on a daily basis, you probably come across cyber security topics, but rarely glance at them twice. After all, cyber security threats don’t concern you, right? Well, that’s not exactly true. Cyber attacks are more widespread than you can imagine and they may be targeting your devices as…

The Lighter Side Of The Cloud – Whatever Happened To Alone Time?

The Lighter Side Of The Cloud – Whatever Happened To Alone Time?

By David Fletcher Are you looking to supercharge your Newsletter, Powerpoint presentation, Social media campaign or Website? Our universally recognized tech related comics can help you. Contact us for information on our commercial licensing rates.  About Latest Posts Follow Us!CloudTweaksEstablished in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information.…

MOST RECENT - Posted by
New Trends In Cloud Based Education

New Trends In Cloud Based Education

Cloud Based Education With technological progress accelerating and users’ computer experience becoming richer and increasingly complex, the future developments in education technology is very exciting. Students are now able to attend demonstration sessions on how to handle technology through remote laboratories using advanced applications in a truly interactive environment. One of these exciting areas is in telemedicine.…

The Many Hats Of Today’s IT Managers

The Many Hats Of Today’s IT Managers

The Many Hats of IT Managers In years past, the IT department of most large organizations was much like a version of Middle Earth: a mysterious nether world where people who seemed infinitely smarter than the rest of us bustled around, speaking and typing languages that appeared indecipherable, yet, which made our world work. They…

Selling Your Business To Your Employees

Selling Your Business To Your Employees

Mobility For Your Employees It may seem a radical notion, the idea of selling your business to the people who work for you, but this is the era in which we now work. Employees of all levels are all incredibly aware of their options when it comes to mobility and employability. This doesn’t mean that…

Technology Sponsors

hp Logo CityCloud-PoweredByOpenstack-Bluesquare_logo_100x100-01
cisco_logo_100x100 vmware citrix100
Site 24x7 200px-KPMG
Advertising ROI Plans

Established in 2009

CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

CloudTweaks Comic Library

Advertising