Last Thursday, the Payment Card Industry Security Standards Council released version 3.0 of the PCI DSS standard (along with the accompany Payment Application Data Security Standard). There are a couple of key focus points that will directly affect Cloud Service Providers – and it makes sense to start thinking about these – even if some of these rules are not required for existing implementations until January 2015, and for a few, not until June of 2015.
One of these focus points is more explicit definitions around the shared responsibility of service providers who provide PCI DSS compliant environments and services to customers. Others of interest of CSPs include specific enhancements around penetration testing, education and awareness as well as specific clarifications around use of encryption and cryptographic keys.
The most important change for CSPs is the requirement for written agreement (or acknowledgement) by the CSP to their customers of their explicit responsibilities for supporting the standard. In PCI DSS 2.0 there were already requirements for service providers, but this change will require that they develop specific, contract level documentation of their commitments. This is designed to prevent the expensive finger pointing exercise many organizations encountered on entering the compliance process for something as simple as a Disaster Recovery or Backup site (and failing), when an audit took place and expected portions of the standard are not met, or in investigations following a data breach situation.
The new version of the standard will also require CSPs to take a look at the rest of their compliance offering related infrastructure and process. One especially to watch – the requirement for pen testing. The cardholder data environment has to be explicitly tested quarterly by an approved scanning vendor to verify that it is properly separated from other network environments. It will be especially important for CSPs to work this requirement into their process and infrastructure set, or to require that the customer perform the test while they make sure that the environment matches requirements.
One good thing about these first two changes – they do not need to be explicitly met until June of 2015. But CSPs who have a business in these areas should develop plans well ahead of time to meet these requirements. Those who succeed sooner will definitely have an edge in the market.
There are also a host of smaller changes and clarifications important to CSPs that that will need to be reviewed and acted upon. These include:
- Increased education and awareness for personnel involved in managing the infrastructure and applications for the payment chain
- Specific clarifications around the use of encryption and cryptographic keys
- Account access procedures that limit CSP access to card payment infrastructure
- More detailed guidance about allowed password use
- A more focused description of the limits of privileged and standard user access controls
- Remote access guidelines for CSPs that may also have remote access to their customer’s payment card data environments
- New physical access requirements for onsite personnel
- Increased visibility into the creation of new accounts and escalation of privileges by users with root and administrative access
Whatever your Cloud service offering, getting ahead of these new requirements will allow you to both distinguish your offering from competition and to give these critical customers a degree of comfort with your services that should allow you to drive new business, and expand your opportunities with existing customers.