What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

The only constant is change. Earlier this month, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard).  In it are a few key focus areas that will directly affect Cloud Service Providers (CSPs), which is why it makes good business sense to start thinking about version 3.0 right now. While some of the rules aren’t required for existing implementations until 2015, smart CSPs understand that customers will certainly be asking about the changes in 2014.

The most important change for CSPs in PCI DSS 3.0 is that they are required to provide a written agreement (or acknowledgement) to their customers of their explicit responsibilities for supporting the standard. PCI DSS 2.0 had some requirements for service providers, but 3.0 will require that CSPs develop specific, contract-level documentation of their commitments. The idea here is to eliminate the expensive finger-pointing exercise many organizations go through when something as simple as a disaster recovery or backup site, or when an audit finds expected portions of the standard are not met, or in the investigations following a data breach.

Another important change in 3.0 is the need for explicit definitions around the shared responsibility of service providers who provide PCI DSS-compliant environments and services to their customers. There will be no getting off the hook anymore.

This version of the PCI standard will also cause CSPs to take a look at the rest of their compliance offering-related infrastructure and processes — and sooner is better than later.  Here’s one change to watch for: the pen test requirement.  With version 3.0, the cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments.  It is critical that CSPs either work this requirement into their process and infrastructure set to make sure that the environment matches the new data security requirements.

There are also a host of smaller changes and clarifications that will be important to CSPs and thus deserve at least a mention here.  They include:

  • Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain;
  • Specific clarifications around the use of encryption and cryptographic keys;
  • Account access procedures that limit CSP access to card payment infrastructure;
  • More detailed guidance about allowed password use;
  • More focused description of the limits of privileged and standard user access controls;
  • New access guidelines for CSPs that have remote access to their customers’ payment card data environments; and
  • New physical access requirements for onsite personnel
  • Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access

As I said before, these changes do not need to be implemented until 2015, but affected CSPs should develop plans well ahead of time to ensure they can meet the new requirements. Doing so will give them a clear first-mover advantage in an increasingly security-focused market.

So, whatever your Cloud service offerings, getting ahead of the new PCI DSS requirements will enable you to both differentiate your offerings from the competition and give your customers greater comfort on the cloud security front. Don’t drag your heels addressing the additional requirements; instead, embrace the new PCI DSS standard in ways that will drive new business and also expand opportunities with your existing customers.

c-j-radford

By C.J Radford,

C.J. Radford joined Vormetric in March 2013 as vice president of cloud, a newly created leadership position that is tasked with leading the company’s cloud strategy and growth via strategic partnerships with cloud service providers (CSPs). He came to Vormetric from Symantec Corporation, where he spent more than five years driving business development and new strategic growth initiatives within the rapidly evolving CSP market. He holds a bachelor’s degree in business administration from the University of Oregon and an MBA from the University of California, Berkeley.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Comic
The Lighter Side Of The Cloud – Data Merge

The Lighter Side Of The Cloud – Data Merge

By Christian Mirra Please feel free to share our comics via social media networks such as Twitter, Facebook, LinkedIn, Instagram, Pinterest. Clear attribution (Twitter example: via @cloudtweaks) to our original comic sources is greatly appreciated.

The Rise Of Threat Intelligence Sharing

The Rise Of Threat Intelligence Sharing

Threat Intelligence Sharing  Security has been discussed often on CloudTweaks and for good reason. It is one of the most sought after topics of information in the technology industry.  It is virtually impossible to wake up and not read a headline that involves the words “Breached, Hacked, Compromised or Extorted (Ransomware)“. Included (below) is an…

Moving Your Email To The Cloud? Beware Of Unintentional Data Spoliation!

Moving Your Email To The Cloud? Beware Of Unintentional Data Spoliation!

Cloud Email Migration In today’s litigious society, preserving your company’s data is a must if you (and your legal team) want to avoid hefty fines for data spoliation. But what about when you move to the cloud? Of course, you’ve probably thought of this already. You’ll have a migration strategy in place and you’ll carefully…

Higher Education Institutions Increasing Cloud Use In Next 5 Years

Higher Education Institutions Increasing Cloud Use In Next 5 Years

Cloud Computing Advancing Edtech In a new research study by ResearchMoz it’s predicted that the global cloud computing market in higher education will grow steadily at a CAGR of 24.57% over the period 2016 to 2020. Making use of computing resources connected by either public or private networks provides the benefits of scalable infrastructure, greater…

Big Data and AI Hold Greatest Promise For Healthcare Technologies

Big Data and AI Hold Greatest Promise For Healthcare Technologies

Digital Healthcare Executives and Investors Addressed Opportunities and Challenges Facing the Industry New York City – September 21, 2016 – According to a survey of 122 founders, executives and investors in health-tech companies released today by Silicon Valley Bank, big data and artificial intelligence will have the greatest impact on the industry in the year ahead. Healthcare…

Three Tips To Simplify Governance, Risk and Compliance

Three Tips To Simplify Governance, Risk and Compliance

Governance, Risk and Compliance Businesses are under pressure to deliver against a backdrop of evolving regulations and security threats. In the face of such challenges they strive to perform better, be leaner, cut costs and be more efficient. Effective governance, risk and compliance (GRC) can help preserve the business’ corporate integrity and protect the brand,…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy.…

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and orchestration. Although it has been mature for decades, the network security market had to transform rapidly with the advent of the BYOD trend and emergence of the cloud, which swept enterprises a few years ago.…

7 Common Cloud Security Missteps

7 Common Cloud Security Missteps

Cloud Security Missteps Cloud computing remains shrouded in mystery for the average American. The most common sentiment is, “It’s not secure.” Few realize how many cloud applications they access every day: Facebook, Gmail, Uber, Evernote, Venmo, and the list goes on and on… People flock to cloud services for convenient solutions to everyday tasks. They…

Moving Your Enterprise Apps To The Cloud Is A Business Decision

Moving Your Enterprise Apps To The Cloud Is A Business Decision

Moving Your Enterprise Apps Whether it be enterprise apps or any other, if there is any heavy data that is going to be transacted in and through an app, then affiliating it with the Cloud becomes a must. And then an important question arises: How do you decide when to integrate your enterprise app with…

5 Reasons Why Your Startup Will Grow Faster In The Cloud

5 Reasons Why Your Startup Will Grow Faster In The Cloud

Cloud Startup Fast-tracking Start-ups face many challenges, the biggest of which is usually managing growth. A start-up that does not grow is at constant risk of failure, whereas a new business that grows faster than expected may be hindered by operational constraints, such as a lack of staff, workspace and networks. It is an unfortunate…

5 Predictions For Education Technology

5 Predictions For Education Technology

Education Technology Although technology has fast influenced most sectors of our world, education is an area that’s lagged behind. Many classrooms still employ the one-to-many lecturing model wherein the average student is catered for while a few are left behind, and others bored. Recently, there’s been a drive to uncover how to use technology successfully…

Cloud Computing Is Greener Than You Think

Cloud Computing Is Greener Than You Think

Cloud Computing Is Greener Than You Think Last week we touched upon how a project in Finland had blended two of the world’s most important industries, cloud computing and green technology, to produce a data centre that used nearby sea water to both cool their servers and heat local homes.  Despite such positive environmental projects, there…

Cloud Infographic – Guide To Small Business Cloud Computing

Cloud Infographic – Guide To Small Business Cloud Computing

Small Business Cloud Computing Trepidation is inherently attached to anything that involves change and especially if it involves new technologies. SMBs are incredibly vulnerable to this fear and rightfully so. The wrong security breach can incapacitate a small startup for good whereas larger enterprises can reboot their operations due to the financial stability of shareholders. Gordon Tan contributed an…