What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

What PCI DSS 3.0 Means For Cloud Service Providers

The only constant is change. Earlier this month, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard).  In it are a few key focus areas that will directly affect Cloud Service Providers (CSPs), which is why it makes good business sense to start thinking about version 3.0 right now. While some of the rules aren’t required for existing implementations until 2015, smart CSPs understand that customers will certainly be asking about the changes in 2014.

The most important change for CSPs in PCI DSS 3.0 is that they are required to provide a written agreement (or acknowledgement) to their customers of their explicit responsibilities for supporting the standard. PCI DSS 2.0 had some requirements for service providers, but 3.0 will require that CSPs develop specific, contract-level documentation of their commitments. The idea here is to eliminate the expensive finger-pointing exercise many organizations go through when something as simple as a disaster recovery or backup site, or when an audit finds expected portions of the standard are not met, or in the investigations following a data breach.

Another important change in 3.0 is the need for explicit definitions around the shared responsibility of service providers who provide PCI DSS-compliant environments and services to their customers. There will be no getting off the hook anymore.

This version of the PCI standard will also cause CSPs to take a look at the rest of their compliance offering-related infrastructure and processes — and sooner is better than later.  Here’s one change to watch for: the pen test requirement.  With version 3.0, the cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments.  It is critical that CSPs either work this requirement into their process and infrastructure set to make sure that the environment matches the new data security requirements.

There are also a host of smaller changes and clarifications that will be important to CSPs and thus deserve at least a mention here.  They include:

  • Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain;
  • Specific clarifications around the use of encryption and cryptographic keys;
  • Account access procedures that limit CSP access to card payment infrastructure;
  • More detailed guidance about allowed password use;
  • More focused description of the limits of privileged and standard user access controls;
  • New access guidelines for CSPs that have remote access to their customers’ payment card data environments; and
  • New physical access requirements for onsite personnel
  • Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access

As I said before, these changes do not need to be implemented until 2015, but affected CSPs should develop plans well ahead of time to ensure they can meet the new requirements. Doing so will give them a clear first-mover advantage in an increasingly security-focused market.

So, whatever your Cloud service offerings, getting ahead of the new PCI DSS requirements will enable you to both differentiate your offerings from the competition and give your customers greater comfort on the cloud security front. Don’t drag your heels addressing the additional requirements; instead, embrace the new PCI DSS standard in ways that will drive new business and also expand opportunities with your existing customers.

c-j-radford

By C.J Radford,

C.J. Radford joined Vormetric in March 2013 as vice president of cloud, a newly created leadership position that is tasked with leading the company’s cloud strategy and growth via strategic partnerships with cloud service providers (CSPs). He came to Vormetric from Symantec Corporation, where he spent more than five years driving business development and new strategic growth initiatives within the rapidly evolving CSP market. He holds a bachelor’s degree in business administration from the University of Oregon and an MBA from the University of California, Berkeley.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

One Response to What PCI DSS 3.0 Means For Cloud Service Providers

Comic
Investing In The Future With The Introduction of Sage Cloud

Investing In The Future With The Introduction of Sage Cloud

CHICAGO, IL–(Marketwired – Jul 26, 2016) – Sage, a market leader in cloud accounting software, announced today at Sage Summit 2016 its strong commitment to future technologies, with a focus on new and existing partnerships that power business growth. Revealed during CEO Stephen Kelly’s keynote address, which opened the world’s largest gathering of entrepreneurs and…

2016 Tour de France: Racing With Big Data

2016 Tour de France: Racing With Big Data

2016 Tour de France The 2016 Tour de France has just concluded, with Chris Froome (SKY) taking his third overall win. Not the kind of event we often focus on here at CloudTweaks, but Dimension Data has put its analytics technology to use tracking the journeys of each rider across all 21 stages, and their…

Ransomware: A Digital Pandemic – Is There A Cure?

Ransomware: A Digital Pandemic – Is There A Cure?

The Rise Of Ransomware You can imagine the scene: you’ve just completed that business plan and a set of accounts. Finally, it’s done and saved, ready for a final read through and to be sent out to your contact list. And right when you’re ready to click “Send”, the next thing you see on the…

Martech In A Content Crazed World

Martech In A Content Crazed World

Content Crazed World Everywhere you look there are pop-up ads and offers, at times it can feel like overload. What used to be a few online ads on websites has now grown into a wild world of offers that consume your every device. These advancements in marketing technology can not only be overwhelming to the…

Hubgets – Advanced Collaboration, Enriched Communication

Hubgets – Advanced Collaboration, Enriched Communication

Advanced Collaboration Tool Sponsored series provided in collaboration with Hubgets Collaboration tools have advanced leaps and bounds with the advent of cloud technology, and the services available are only getting better. Promising features such as sophisticated group communication, productive management of tasks and meetings, and the ultimate dream, working remotely from some gorgeous island destination, innovative collaboration…

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Secure Third Party Access Still Not An IT Priority Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

How You Can Improve Customer Experience With Fast Data Analytics

How You Can Improve Customer Experience With Fast Data Analytics

Fast Data Analytics In today’s constantly connected world, customers expect more than ever before from the companies they do business with. With the emergence of big data, businesses have been able to better meet and exceed customer expectations thanks to analytics and data science. However, the role of data in your business’ success doesn’t end…

Four Keys For Telecoms Competing In A Digital World

Four Keys For Telecoms Competing In A Digital World

Competing in a Digital World Telecoms, otherwise largely known as Communications Service Providers (CSPs), have traditionally made the lion’s share of their revenue from providing pipes and infrastructure. Now CSPs face increased competition, not so much from each other, but with digital service providers (DSPs) like Netflix, Google, Amazon, Facebook, and Apple, all of whom…

Why Small Businesses Need A Business Intelligence Dashboard

Why Small Businesses Need A Business Intelligence Dashboard

The Business Intelligence Dashboard As a small business owner you would certainly know the importance of collecting and analyzing data pertaining to your business and transactions. Business Intelligence dashboards allow not only experts but you also to access information generated by analysis of data through a convenient display. Anyone in the company can have access…

Cloud Infographic – Big Data Predictions By 2023

Cloud Infographic – Big Data Predictions By 2023

Big Data Predictions By 2023 Everything we do online from social networking to e-commerce purchases, chatting, and even simple browsing yields tons of data that certain organizations collect and poll together with other partner organizations. The results are massive volumes of data, hence the name “Big Data”. This includes personal and behavioral profiles that are stored, managed, and…

Four Reasons Why CIOs Must Transform IT Into ITaaS To Survive

Four Reasons Why CIOs Must Transform IT Into ITaaS To Survive

CIOs Must Transform IT The emergence of the Cloud and its three delivery models of Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) has dramatically impacted and forever changed the delivery of IT services. Cloud services have pierced the veil of IT by challenging traditional method’s dominance…

The Big Data Movement Gets Bigger

The Big Data Movement Gets Bigger

The Big Data Movement In recent years, Big Data and Cloud relations have been growing steadily. And while there have been many questions raised around how best to use the information being gathered, there is no question that there is a real future between the two. The growing importance of Big Data Scientists and the…

Cloud Infographic – Disaster Recovery

Cloud Infographic – Disaster Recovery

Disaster Recovery Business downtime can be detrimental without a proper disaster recovery plan in place. Only 6% of businesses that experience downtime without a plan will survive long term. Less than half of all businesses that experience a disaster are likely to reopen their doors. There are many causes of data loss and downtime —…

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

Data Science and Machine Learning Security breaches have been consistently rising in the past few years. Just In 2015, companies detected 38 percent more security breaches than in the previous year, according to PwC’s Global State of Information Security Survey 2016. Those breaches are a major expense — an average of $3.79 million per company,…