PCI Council Offers Clarity On Cloud, Mobile Issues

  /     /     /  
Publicated : 22/11/2024   Category : security


PCI Council Offers Clarity On Cloud, Mobile Issues


Two new documents released by the council offer guidance on merchant responsibility for cardholder data stored in the cloud, as well as data processed through mobile point-of-sale devices



The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the councils community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month.
The first,
PCI DSS Cloud Computing Guidelines Information Supplement
(PDF), offers a comprehensive breakdown of merchant and cloud service provider responsibilities for maintaining PCI compliance under a myriad of public and private cloud service models. The second,
PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users
(PDF), provides early advice to merchants in securing cardholder data on mobile devices when using currently unregulated and nonstandardized mobile payment technology, such as Square.
Cloud Guidance
The cloud information supplement builds on an earlier guidance released last year detailing security recommendations for virtualized environments, says Bob Russo, general manager of the PCI Security Standards Council, who reports that more than 100 representatives from merchants, banks, and payment processing vendors collaborated on the latest document. Goal No. 1 was to bust myths some merchants had about their responsibilities as the custodians of cardholder data when sending that data out to public cloud service provider (CSP), even if those providers offer PCI compliance claims.
The biggest misconception is if I pass all of this stuff out to a cloud environment and someone else processes it all for me, Im done and I dont have any responsibility, he says. Were making sure that you as the owner of that data understand what your responsibilities are and what the CSPs responsibilities are because theyre not all created alike.
Many QSAs read the document as a confirmation of their early leaning to prefer private cloud arrangements for cardholder storage due to the opacity of infrastructure and operations at many cloud service providers.
Some people might say the document was really biased toward private cloud -- of course it was. Why would you expect any different? says Walter Conway, a QSA for 403 Labs. Ive always taken it as a given that, practically speaking, the only way you wanted to go into the cloud with cardholder data is with a private cloud or virtual private cloud because you need that control to make your life easier. But to the councils credit, they then said, If youre not going to go private, heres the stuff you need to do.
According to Chris Bucolo, senior manager of security consulting for ControlScan, this kind of detailed divvying of responsibilities was badly needed.
When were talking to clients about PCI, and security in general, we get into lots of conversations about cloud computing in the marketplace, he says. There has been lots of confusion. Theres a matrix in the document that shows by the type of service whether PaaS, IaaS, or whatever, who maintains control, if it is shared, and then shows you by PCI requirements how [responsibility] typically pans out.
[How efficient are your compliance practices? See
7 Routes To Reducing The Compliance Tax
.]
Mobile Payment Guidance
Closely following on the heels of the release of the cloud document, the councils publication of its mobile payment information supplement was similarly driven by a special interest group community effort. The goal was to offer merchants some bottom-floor, bare-minimum security practices to put in place around point-of-sale technology residing on mobile devices, Russo says.
People are putting out all kinds of really good mobile payment solutions. We certainly dont want to stifle that, but we want to make sure the merchant knows that there are risks involved with using them, Russo says. Who among us hasnt left a mobile device in a cab at some point? And if Im using this as an acceptance device and its storing data in it, what happens if I do leave it in a cab?
The supplement is a stopgap measure as the PCI Council and standards bodies like NIST work to develop security standards for mobile payment acceptance dongles and applications.
The council is working very hard to figure out what the next steps are, but at the very least this document says, Make sure that whatever it is that you use is encrypting that cardholder data before it gets into the device. Now, is that going to make you secure? Probably not 100 percent. But encrypt to protect yourself until there is a standard out there.
While the document offers solid advice on what is still very burgeoning technology, some PCI compliance experts wonder whether the right people will ever read it, considering that the bulk of mobile payment acceptance use is within the mom-and-pop crowd that may not be as educated in PCI concerns.
I dont know that the farmers market merchants, plumbers, and roofers who actually use these things would have a clue to read this, Conway says.
Nevertheless, it puts merchants on notice that the power of the processing technology, coupled with the capabilities of smartphones and tablets, has essentially given them a loaded gun with respect to cardholder data, Bucolo says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
PCI Council Offers Clarity On Cloud, Mobile Issues