SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

PCI Cloud Compliance Technical Considerations Part 1

Cloud Computing | Payment Card Assessments

By Eric Sampson and Doug Barbin

The writing is on the wall. For many businesses, cloud providers are becoming a key component of IT and business strategies, service delivery capability and scalability, innovation, and delivering new service models and solutions to market. For merchants and service providers that store, process, or transmit cardholder data, the PCI DSS provides the requirements necessary to ensure a secure and compliant cardholder data environment. Until recently, guidance was limited to the interpretation of existing PCI standards, which never fully accounted for today’s evolving cloud computing models. The release of the PCI DSS Cloud Computing Guidelines (“cloud supplement”), attempts to align core PCI goals with a better understanding of cloud provider and cloud customer (“tenant”) responsibilities to maintain a compliant cloud-hosted cardholder data. Schellman had the privilege of participating in this group. The document is, by default, supplementary and as with all PCI supplements does not supersede, replace, or extend the PCI DSS requirements. In fact, the cloud supplement states they are provided especially to “[present] recommendations for starting discussions about cloud services” in giving cloud providers and tenants a point of discussion for approaching their individual roles and responsibilities in meeting the PCI DSS requirements.” In the cloud supplement, the SSC describes the following important areas, to name a few, for understanding provider and client relationships:

  • Cloud provider deployment and service models
  • How roles and responsibilities may differ among tenants and cloud provider environments including segmentation and scoping considerations
  • PCI DSS compliance challenges
  • Contractual needs
  • Technical security considerations

 

Understanding the Models

Generally speaking, cloud provider service delivery models can be categorized into one or more of the following three areas: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud provider responsibilities over security and operational controls and meeting PCI DSS requirements tend to increase from an IaaS model (most client responsibility) to a SaaS model (least client responsibility). In addition, cloud providers can deploy hosted environments differently. Tenants need to understand the cloud deployment model being utilized or proposed for their cloud hosted environment. Cloud deployment models include private, community, public, and hybrid cloud (a combination of private, community, and/or public). Tenents need to understand the level of oversight or visibility they will have into the security functions that are outside their control. If these security responsibilities are not properly assigned, communicated, and understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed, resulting in potential exploit and data loss or other compromise. Cloud providers can help their tenants understand how the service models being offered affect their tenants in terms of roles and responsibilities.

 

Written agreements

Once cloud provider and tenants roles and responsibilities for operation, management, and reporting are understood for each requirement, a formal agreement with clear policies and procedures should be defined. Contractual agreements are especially critical where control responsibility is outsourced to ensure the required security measures are being met and maintained by the cloud provider for the duration of the agreement.

 

Mind the Gap

Be mindful of when a CSP claims “PCI compliance” for their cloud environment. It is not uncommon for a provider to sell data center, managed, and cloud services only to have the PCI ROC/AOC cover the data center component. This is why it is critical that a tenant and their QSA be able to understand the scope of what was and was not covered to be able to determine if additional procedures are required. It is also important to note that many of the above issues apply equally in the world of SOC 1, SOC 2, ISO 27001 certification, and FedRAMP.

In the next article we will discuss some of the technical considerations presented within the supplement.

Eric Sampson is a QSA at Schellman who leads assessments for some of the largest SaaS providers in the US. Doug Barbin is a Principal at Schellman and the firm wide practice leader for PCI.

About Douglas Barbin

As President and National Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.