What PCI DSS 3.0 Means For Cloud Service Providers
The only constant is change. Earlier this month, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard). In it are a few key focus areas that will directly affect Cloud Service Providers (CSPs), which is why it makes good business sense to start thinking about version 3.0 right now. While some of the rules aren’t required for existing implementations until 2015, smart CSPs understand that customers will certainly be asking about the changes in 2014.
The most important change for CSPs in PCI DSS 3.0 is that they are required to provide a written agreement (or acknowledgement) to their customers of their explicit responsibilities for supporting the standard. PCI DSS 2.0 had some requirements for service providers, but 3.0 will require that CSPs develop specific, contract-level documentation of their commitments. The idea here is to eliminate the expensive finger-pointing exercise many organizations go through when something as simple as a disaster recovery or backup site, or when an audit finds expected portions of the standard are not met, or in the investigations following a data breach.
Another important change in 3.0 is the need for explicit definitions around the shared responsibility of service providers who provide PCI DSS-compliant environments and services to their customers. There will be no getting off the hook anymore.
This version of the PCI standard will also cause CSPs to take a look at the rest of their compliance offering-related infrastructure and processes — and sooner is better than later. Here’s one change to watch for: the pen test requirement. With version 3.0, the cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments. It is critical that CSPs either work this requirement into their process and infrastructure set to make sure that the environment matches the new data security requirements.
There are also a host of smaller changes and clarifications that will be important to CSPs and thus deserve at least a mention here. They include:
- Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain;
- Specific clarifications around the use of encryption and cryptographic keys;
- Account access procedures that limit CSP access to card payment infrastructure;
- More detailed guidance about allowed password use;
- More focused description of the limits of privileged and standard user access controls;
- New access guidelines for CSPs that have remote access to their customers’ payment card data environments; and
- New physical access requirements for onsite personnel
- Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access
As I said before, these changes do not need to be implemented until 2015, but affected CSPs should develop plans well ahead of time to ensure they can meet the new requirements. Doing so will give them a clear first-mover advantage in an increasingly security-focused market.
So, whatever your Cloud service offerings, getting ahead of the new PCI DSS requirements will enable you to both differentiate your offerings from the competition and give your customers greater comfort on the cloud security front. Don’t drag your heels addressing the additional requirements; instead, embrace the new PCI DSS standard in ways that will drive new business and also expand opportunities with your existing customers.
By C.J Radford,
C.J. Radford joined Vormetric in March 2013 as vice president of cloud, a newly created leadership position that is tasked with leading the company’s cloud strategy and growth via strategic partnerships with cloud service providers (CSPs). He came to Vormetric from Symantec Corporation, where he spent more than five years driving business development and new strategic growth initiatives within the rapidly evolving CSP market. He holds a bachelor’s degree in business administration from the University of Oregon and an MBA from the University of California, Berkeley.