Overview of PCI Compliance & Certification for Cloud Computing and SaaS Vendors

PCI compliance & certification for cloud computing and Software as a Service (SaaS) vendors is becoming a notable topic in regulatory compliance as numerous technology companies are now heavily involved in the storage and transmission of cardholder data. While they may not be technically “processing” cardholder data, the very notion of storing and transmitting such sensitive information puts cloud computing and SaaS vendors clearly in the crosshairs for PCI DSS compliance. Take note of the following checklist and best practices regarding compliance with the Payment Card Industry Data Security Standards (PCI DSS) for cloud computing & SaaS vendors, provided by pcipolicyportal.com:

Assessing Scope and Understanding Your Requirements are Critical.

The vast majority of cloud computing and Software as a Service (SaaS) vendors are essentially offering client facing, web based services, be it multi-tenancy, an architecture in which a single instance of a software application serves multiple customers, to multi-instance architectures, where separate software instances operate on behalf of different tenants. Because of the complexities involved in these environments, assessing scope – and ultimately, PCI DSS compliance responsibilities – can become subjective, to say the least. Thus, analyzing the twelve (12) respective PCI DSS mandates is what’s needed for ultimately ensuring the Payment Card Industry Data Security Standards are being met as required for cloud computing and SaaS vendors.

But even before that, it’s important to understand the various types of cloud offerings (i.e., deployment models), along with the respective service models, as this ultimately will determine scope and which of the twelve (12) PCI DSS requirements are applicable to a cloud computing/SaaS vendor (herein collectively referred to as a Cloud Service Provider – CSP).

As for deployment models, the National Institute of Standards and Technology (NIST) provides the following information:

Private cloud – A cloud platform operating solely for a single entity/client. The platform itself may be managed by the single entity/client itself or an actual third-party service provider, and it may even be on premise or an off premise deployment. The key is “private” in that it’s dedicated to one single organization, with no “sharing” of cloud resources.

Community cloud – A cloud platform that’s essentially shared by several entities, supporting a specific community with shared requirements or needs (for example, business model, security requirements, policy, or compliance considerations). The platform itself may be managed by the single entity/client itself or an actual third-party service provider, and it may even be on premise or off premise deployment.

Public cloud – The cloud platform that’s generally available for use by the general public and/or some type of industry group. More specifically, a public cloud is a multi-tenant environment, whereby services in a cloud computing environment are shared with a number of other clients or tenants, thus a “multi-tenant” environment.

Hybrid cloud – This particular cloud platform generally consists of a combination of two or more respective cloud platforms effectively bound together by technology for enabling delivery of services. According to the PCI DSS Guidelines publication on cloud computing, “Hybrid clouds are commonly used for redundancy or load-balancing purposes”.

So those are the different types of cloud models – but what about the service models – the delivery format for each of the cloud models? Again, with cloud technology still an evolving concept, one can at least define service delivery in the following manner:

Software as a Service (SaaS): Currently the largest – and most recognizable form of cloud computing – is Software as a Service, simply known as SaaS. Characteristics of SaaS cloud computing include the following:

  • SaaS uses the web to deliver applications that are managed by a third-party vendor and whose interface is accessed on the clients’ side.
  • Most SaaS applications can be run directly from a web browser without any downloads or installations required, although some require plugins for optimal performance.
  • SaaS provides the ability for clients to use the provider’s applications running on a cloud infrastructure. Thus, the applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface.
  • With SaaS, it’s quite easy for enterprises to streamline their maintenance and support, because everything can be managed by vendors, such as the operating systems, applications, runtime, data, middleware, virtualization, servers, storage, networking, etc.

Additionally, other characteristics of SaaS is that software is managed from a central location, delivered in a “one to many” model, with users not required to handle software upgrades and patches to the SaaS platform itself.  Examples of SaaS models include Google Apps, Salesforce, Workday, Concur, Citrix GoToMeeting, Cisco WebEx, and many others.

Platform as a Service (PaaS): Though the lines are blurring between PaaS, IaaS, and SaaS, the actual PaaS offering is looked upon as a platform for clients to deploy their applications (created or acquired) onto an actual cloud infrastructure, using programming languages, libraries, services, and tools, etc. that are supported by the cloud provider. Specifically, what developers gain with a PaaS framework is the ability to build upon, develop or customize applications, making development, testing, and deployment of applications quick, simple, and easy – all things considered.

PaaS allows the ability to effectively develop applications using software components that are built into the PaaS platform itself. Applications using PaaS therefore inherit cloud characteristic such as scalability, high-availability, while benefiting from the amount of development – specifically, coding – that is necessary. Simply stated, PaaS allows users to effectively create software applications using tools supplied by the provider.

With a PaaS platform, one can expect to have the following service offerings available:

  • Operating system
  • Server-side scripting environment
  • Database management system
  • Server Software
  • Tools for design and development
  • Support
  • Storage
  • Network access
  • Hosting

Examples of PaaS models include salesforce.com, along with Amazon’s AWS and Microsoft’s Assure platforms.

Infrastructure as a Service (IaaS): IaaS allows a user to spin up a virtual machine in no time, with that machine often being nothing more than a bare bones platform running just an operating system, or one with a preconfigured system or software stack. Therefore, the user is ultimately responsible for managing the resources on that machine. For example, disk utilization and CPU capacity usage issues are left to the user to monitor and administer. It also means that you’ll be spending time evaluating, assessing, and implementing various tools and plugins for helping ensure the safety and security of your IaaS platform. From anti-virus needs to File Integrity Monitoring FIM) – and more – IaaS platforms can require a tremendous amount of work, so keep this in mind.

The most popular public IaaS provider is Amazon, with EC2 (Elastic Compute Cloud). Other competitors include Google Compute Engine, RackSpace, DigitalOcean, Azure, and Linode.

While many businesses very well find themselves agreeable to SaaS and PaaS platforms, due to the resource savings and reduced responsibilities for administering the cloud infrastructure, they also need to know that there’s a greater loss of control of the environment housing their sensitive data. It means that businesses will need to conduct their own due-diligence for ensuring compliance mandates by such vendors – specifically that of PCI DSS – are being met, and maintained. For simplicity and an ounce of clarity, just remember that SaaS model decrease the degree of PCI DSS compliance for businesses using such services, while IaaS platforms increase the degree of PCI DSS compliance. The more you rely on a cloud provider for a platform – and its underlying functioning – the less you need to worry about PCI compliance – generally speaking, that is.

Documentation is key to the success of PCI compliance.

That’s right and when we say “documentation”, we’re talking about putting in place comprehensive information security policies and procedures, but also various processes and initiatives that also require documentation. PCI DSS compliance – much like any of today’s growing compliance edicts – demands granular and in-depth policies and procedures for ensuring compliance – it’s just the world we live in today. Take note of the following areas of documentation regarding PCI compliance for cloud computing and Software as a Service (SaaS) vendors:

Information Security Policies and Procedures: It’s probably fair to say that almost everyone in the world of regulatory compliance is aware of the need for information security policies and procedures – the essential documents that form the basis of any company’s daily I.T. environment. But remember that policies are just that – nothing more than written words – if not enacted upon and followed, and that’s the “procedures” aspect of them. You don’t want your documentation becoming “shelfware” – a term that essentially means policies have been developed, and then never looked at again or even followed – that’s not a healthy practice. pcipolicyportal.com offers industry leading PCI policies for instant download today.

Risk Assessment Materials: A large part of PCI compliance for cloud computing and Software as a Service (SaaS) vendors is much more than policies – it’s about taking action and implementing initiatives – such is the case with assessing organizational risk for cloud computing providers. Specifically, PCI compliance mandates that an annual risk assessment be performed for assessing risks, threats, and other issues from an enterprise-wide perspective, which includes the cardholder data environment. pcipolicyportal.com offers an in-depth and easy-to-use risk assessment program allowing for effective documentation of all critical and essential risk categories within an organization., and it’s available for instant download today! We hope you enjoyed our overview on PCI compliance for cloud computing and Software as a Service (SaaS) vendors.