By Daniel Beazer, Director of Strategy at FireHost Inc.
The large amount of marketing hot air created by the hosting and cloud industry around PCI DSS came up for debate at the recent Cloud Industry Forum’s ‘Curry in the Cloud’ event. Michael Queenan of Nephos Technologies singled out hosting companies that claim to be compliant to the payment card standard when they are only riding off the back of a certification held by their carrier neutral data centre.
It’s not just internet industry insiders who are alarmed by the unfounded claims made by hosting and cloud providers. Neira Jones, the widely respected Head of Payment Security at Barclaycard, spoke at the last Merchant Risk Forum about the number of companies exhibiting at Internet World claiming to be PCI compliant but on closer examination turning out to be anything but.
But without the expertise of a Qualified Security Assessor (QSA) or a Neira Jones how is an online retailer, charity or other organisation taking credit card payments to tell whether a PCI complaint badge on a site is a marketing tool or the mark of a useful service? It’s easy to see why hosters and cloud providers want to leap on the PCI DSS bandwagon. After all, web sites that have an e-commerce function are generating revenues and those are the type of customers we all want to have. But what is harder is to have the tools to decipher the marketing materials out there and work out exactly what a cloud hosting provider is offering.
how is an online retailer… to tell whether a PCI complaint badge on a site is a marketing tool or the mark of a useful service?
How to make yourself PCI compliant with a wave of a wand
Part of the problem is with the standard itself. It’s very broad, covering all aspects of credit card payments, from how to deal with paper credit card slips to anti-virus software. Some of the requirements are specific such as 3.2 (‘Do not store sensitive authentication data after authorisation), whereas others are more like general good practice requirements like 9.1 (‘Restrict physical access to the place where the data is stored’) and requirement 12 (‘Maintain a policy that addresses information security for employees and contractors’). As the broader requirements are the sort of policies that any cloud or hosting provider will have in place, all a provider has to do is pay for a QSA to come in for a couple of days and vet requirements 9 and 12; hey presto, with the waft of a wand, the provider is PCI compliant without changing a single feature of its product set. Never mind about those inconvenient sections about firewalls, monitoring, secure networks and server separation.
Of course anyone wanting a PCI compliant hosting solution is a sophisticated buyer and therefore quite capable of seeing through these kind of assertions, you might think. But the anecdotal evidence is that customers who are lulled into thinking that the compliance box has been ticked are not too happy when they find out that they are on their own for ten out of twelve requirements.
How can the innocent eCommerce site go about making sure he goes with a provider that actually offers a meaningful PCI service versus a rack piggy backing off a data centre certification? The answer is to request the Attestation of Compliance (AOC) from the service provider. The AOC will tell you specifically what was included, and more importantly, excluded, from the assessment. In the event they will not provide the entire AOC, ask them for the Scoping section – as this section is required to contain a description of what was included and excluded from the assessment.
In some cases the QSA will even provide a list of the PCI DSS requirements that a customer of the service provider can rely on in this section. If the service provider is unwilling to share this information with you, that is a sign that they are not likely validated for anything beyond requirements 9 and 12.
In the meantime, we should remember that the kind of tricks played with PCI can be played with just about any standard, and web shops processing credit card information should check and check again when it comes to any cloud provider claiming to be compliant.
Expert CommentaryBy James Rees, QSA and Director of Razor Thorn Security I agree on the whole with Firehost, and Neira Jones is absolutely correct. We have found a number of cloud companies attempting to dodge the PCI DSS compliance requirements by using compliant datacentres. It is a severe problem in a number of industries ecommerce, web design companies and cloud companies where this occurs far too much.
As a QSA I can tell you that if you are assisting a company in any way with the storage, transference or processing of card information you will need to be compliant with the PCI DSS requirements, the extent of your liability will be dictated by the services you offer to the client.
Cloud companies looking to prove their compliance will need to supply the following:
- Signed and current Attestation of Compliance (AoC) as a Service Provider OR allow the customers QSA to come on site and undertake an audit for the items covered within the PCI DSS compliance model that the cloud company facilitates for the client being audited.
- Access to the Executive summary section of the service providers Report on Compliance (RoC). Some QSA’s will ask for this if they want to double check what the service provider can actually facilitate if they still have questions from reviewing the AoC.
- Listing of the service provider on the Visa Merchant Agent portal. This is not a REQUIREMENT but Visa do maintain a list of certified service providers, this list is being populated at the moment but is still in its early stages, so not all service providers are listed yet. Though this is expected to change within the next year.
Other items that could help smooth the process:
Allow the client to speak to your QSA; maybe that client has some special and specific requirements that may change your PCI DSS accreditation in some way….. If in doubt CHECK with a professional.
Engage your QSA to create you a Jargon free, English translation for the sales team on what the cloud company can facilitate, and what it cannot. This is invaluable as it prevents the cloud sales people promising PCI DSS related services that are not able to be catered for (This is something we do for all of our clients as standard at Razor Thorn Security).
Allow you client to ask your QSA questions related to PCI DSS compliance, if they have specific concerns or some strange requirements not only will you need to know but it promotes confidence to the client that you as the cloud service provider take PCI DSS seriously. Don’t rely just on internal people to answer these questions, the QSA badge is a powerful confidence booster and may actually win you the client because your seen as helpful…