A new guidance document from the PCI SSC provides useful information about the use of Cloud Service Providers (CSPs) and how this may affect PCI compliance.
Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI compliance from a CSP need to be qualified, and mutual responsibilities clearly established.
Actually, this new document echoes some guidance that we’ve been publishing for a while now. Have a look at PCI Compliance Claims: 3 Questions You Must Ask for example. More recently, we published a 10 minute video entitled Penetration Testing & The Cloud, which is an ideal management introduction to the subject, even if PCI DSS isn’t on your radar.
The SSC document is available here.
Here’s out short video (less than 10 minutes), ideal for project managers who need to know more about how penetration testing can be used to effectively gauge the security of outsourced cloud environments.
Find out more about our penetration testing services.
As a standard that pays a lot of attention to practical activities, the PCI DSS mandates a range of testing activities. We frequently see confusion about what needs to be tested, how and when. At the end of this post is a link to our short guide to all PCI DSS testing requirements.
Some key messages for you:
- Each testing requirement is distinct (i.e. conducting one type of test does not necessarily satisfy another test requirement)
- Watch out for the scope – most tests must be conducted internally and externally
- Tests must be carried out according to the frequency specified in the DSS, and after significant change to the card data environment
- Quarterly ASV scans must be carried out by an ASV company
- Expect your QSA to require evidence that each applicable test has been conducted, plus evidence that significant findings have been addressed
Yes, there’s a lot of testing – but bear in mind that these tests provide you with vital assurance that your PCI controls are functioning correctly and that your organisation is not exposed to high risk vulnerabilities. If there’s something wrong, you need to know sooner rather than later.
Download our free guide covering the PCI DSS Security Testing Requirements