Matching Labels Do Not Mean Matching Results
As already mentioned, PCI compliance testing is not uniform, and therefore PCI compliant labels are not uniform in meaning either. The label can actually refer to a variety of very different things.
"This makes some cloud implementations very hard to both compare and to measure," says Dahn.
This same confusing methodology applies to PCI compliance.
"This means that I could hire a PCI QSA to assess my 'IaaS cloud' with just a base operating system with no security services provided. Although the customer can enable security services, such is not part of the test," says Dahn. "The cloud provider could get listed as a PCI compliant service provider 'based on the service being offered/assessed.'"
"Another IaaS cloud provider could submit the same [base operating system] plus file-integrity monitoring installed to be tested," says Dahn. "It, too, would get assessed and listed alongside the first [provider] ‘based on the service being offered/assessed.'"
Obviously the two vendors tested in this scenario are not equal nor are their claims of PCI compliance even though both are technically compliant. Ultimately, this disparity means you cannot easily compare PCI compliant claims between two or more cloud providers.
The quickest way to get to the bottom of this problem is to ask cloud providers to precisely itemize what "service being offered/assessed" passed the PCI compliance testing. Make sure you understand the answer fully and ask more questions as needed until you do.
"I advise individuals to create a list of all PCI DSS requirements, and then ask the service provider to mark which applies under one of three columns," says Dahn.
Those three columns are:
- Service-provider managed
- Client/customer managed
Bottom line: The claim of PCI compliance alone doesn't tell you much. Get the details on what portion(s) of the vendor's offering was actually tested and deemed compliant. Make sure you understand the answers and what those answers mean in regards to what else you must do to be fully PCI compliant.
"It is the business owner who accepts the risks and signs off on PCI acknowledgement not the cloud provider," warns Malone. "So whether you choose cloud or traditional [PCI compliance], you must know all the risks."
Top 3 Signs Your Cloud Provider Doesn't Understand PCI
Sometimes cloud providers don't understand what PCI compliance really means, or what it means beyond their own responsibility. Below are common warning flags that a cloud provider isn't up to speed on what true PCI compliance means.
If you see any of these top three signs in particular, dig deeper for the facts on what is actually being provided, and what else you'll need to do outside of that vendor relationship, before you sign up with that vendor.
1. The provider claims it can do everything for you.
"If your provider says they have a 100 percent PCI-DS compliant solution where they do everything and you do nothing, odds are that they cannot deliver on that promise," says Brian Raboin, vice president of Operations at Hosting.com.
2. The vendor claims it can virtualize your current physical PCI platform, move it to the cloud and remain PCI compliant.
"To that point, PCI has PCI DSS Virtualization Guidelines that need to be followed," says Raboin. "It isn't as easy as ‘move to the cloud.'" Check those guidelines closely and make sure you're meeting them all.
3. Your provider says if you are PCI certified, you are secure.
"PCI-DSS is a standard for security, not actual real-life security," explains Raboin. "A true security provider offers security services that make sure you are secure and protected first; and in the event of breach, you are alerted, you know the vector of breach, and you can recover. PCI DSS certification is a by-product of that, not the goal. Providers that think that PCI DSS compliance is the goal are studying to pass the test, not actually protecting their customers."