Home > Cloud Computing, Cloud Security, Compliance, PCI > How To Be PCI Compliant in the Cloud…

How To Be PCI Compliant in the Cloud…

Monkeys
I kicked off a bit of a dust storm some months ago when I wrote a tongue-in-cheek post titled "Please Help Me: I Need a QSA to Assess PCI/DSS Compliance In the Cloud."  It may have been a little contrived, but it asked some really important questions and started some really good conversations on my blog and elsewhere.

At SourceBoston I sat in on Mike Dahn's presentation titled "Cloud Compliance and Privacy" in which he did an excellent job outlining the many issues surrounding PCI and Compliance and it's relevance to Cloud Computing.  

Shortly thereafter, I was speaking to Geva Perry and James Urquhart on their "Overcast" podcast and the topic of PCI and Cloud came up. 

Geva asked me if after my rant on PCI and Cloud if what I was saying was that one could never be PCI compliant in the Cloud.  I basically answered that one could be PCI compliant in the Cloud depending upon the services used/offered by the provider and what sort of data you trafficked in.

Specifically, Geva made reference to the latest announcement by Rackspace regarding their Mosso Cloud offering and PCI compliance in which they tout that by using Mosso, a customer can be "PCI Compliant"  Since I hadn't seen the specifics of the offering, I deferred my commentary but here's what I found:

Cloud Sites, Mosso|The Rackspace Cloud’s Flagship offering, is officially the very first cloud hosting solution to enable an Internet merchant to pass PCI Compliance scans for both McAfee’s PCI scans and McAfee Secure Site scans. 

This achievement occurred just after Computer World published an article where some CIO’s shared their concern that Cloud Computing is still limited to “things that don’t require full levels of security.”  This landmark breakthrough may be the beginning of an answer to those fears, as Mosso leads Cloud Hosting towards a solid future of trust and reliability.

Mosso's blog featured an example of a customer — The Spreadsheet Store — who allegedly attained PCI compliance by using Mosso's offering. Pay very close attention to the bits below:

“We are making the Cloud business-ready.  Online merchants, like The Spreadsheet Store can now benefit from the scalability of the Cloud without compromising the security of online transactions,” says Emil Sayegh, General Manager of Mosso|The Rackspace Cloud.  “We are thrilled to have worked with The Spreadsheet Store to prepare the Cloud for their online transactions.”

The Spreadsheet Store set up their site using aspdotnetstorefront, “Which is, in our opinion, the best shopping cart solution on the market today,” says Murphy.  “It also happens to be fully compatible with Mosso.”  Using Authorize.Net, a secure payment gateway, to handle credit card transaction, The Spreadsheet Store does not store any credit card information on the servers.  Murphy and team use MaxMind for fraud prevention, Cardinal Commerce for MasterCard Secure Code and Verified by Visa, McAfee for PCI and daily vulnerability scans, and Thawte for SSL certification.

So after all of those lofty words relating to "…preparing the Cloud for…online transactions," what you can decipher is that Mosso doesn't seem to provide services to The Spreadsheet Store which are actually in scope for PCI in the first place!*

The Spreadsheet store redirects that functionality to a third party card processor!  

So what this really means is if you utilize a Cloud based offering and don't traffic in data that is within PCI scope and instead re-direct/use someone else's service to process and store credit card data, then it's much easier to become PCI compliant.  Um, duh. 

The goofiest bit here is that in Mosso's own "PCI How-To" (warning: PDF) primer, they basically establish that you cannot be PCI compliant by using them if you traffic in credit card information:

Cloud Sites is not currently designed for the storage or archival of credit card information.  In order to build a PCI compliant e-commerce solution, Cloud Sites needs to be paired up with a payment gateway partner.

Doh!

I actually wrote quite a detailed breakdown of this announcement for this post yes
terday, but I awoke to find my buddy Craig Balding had already done a stellar job of that (curses, timezones!)  I'll refer you to his post on the matter, but here's the gem in all of this.  Craig summed it up perfectly:

The fact that Mosso is seeking ways to help their customers off-load as much PCI compliance requirements to other 3rd parties is fine – it makes business sense for them and their merchant customers.  It’s their positioning of the effort as a “landmark breakthrough” and that they are somehow pioneers which leads to generalisations rooted in misunderstandings that is the problem.
Next time you hear someone say ‘Cloud Provider X is PCI compliant’, ask the golden PCI question: is their Cloud receiving, processing, storing or transmitting Credit Card data (as defined by the PCI DSS)?  If they say ‘No’, you’ll know what that really means…marketecture.

There's some nifty marketing for you, eh?

* Except for the fact that the web servers housed at Mosso must undergo regularly-scheduled vulnerability scans — which Mosso doesn't do, either.
  1. March 15th, 2009 at 07:20 | #1

    "instead re-direct/use someone else's service"
    I've always been a strong proponent of that solution, and implemented it long before PCI existed. (a decade ago? – can't remember)
    So now lets ask a dumb question. If you are outsourcing you storefront hosting to a cloud provider, and you are using off the shelf storefront software shopping cart software, and you are outsourcing card processing to another service, why not just outsource the entire mess to Digital River or someone like that? Who the heck wants to manage a daisy chain of strung-together outsourcers?
    While I'm at it, I'll ask another dumb question. If the cloud provider can't directly host card data because they don't meet the compliance regime, why would I trust them to host the rest of my customers private data? Doesn't that data also need protection roughly equivalent to card data?
    I sure think it does. Identity theft is a far large problem for an individual that credit card theft, especially when you are doing dumb things like storing mothers maiden name, place of birth and other identity-theft targets.
    You can't simply revoke your identity and get a new one in the mail 3 days later.

  2. March 15th, 2009 at 08:22 | #2

    This was posted on another blog that raised the same issues.
    "As you clearly state, we (Mosso) were very transparent in indicating what information is stored on our Cloud and what is not.
    The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies. The future of Cloud technologies is full of these types of hybrid solutions that combine the best of both worlds. The goal for a customer and online merchant, is to get PCI compliance, not be purist in terms of technology. On line merchants want to leverage the Cloud for scaling, and this is a good way to do it by combining both worlds.
    The fact that some people knew it was possible, but not executed should not take away from the fact that Mosso was the first one to bring it to market, and execute. A lot of work had to go on from the Mosso side to enable this. There was work involved with the payment gateways to find the best solution for our customers. Also there was work involved with our system to demonstrate compliance with the merchant perimeter scans, something that no other cloud provider has done, to the best of our knowledge.
    We are very pragmatic in our approach, and will use the best of both worlds (Hybrid: Cloud/Dedicated) to bring solutions to our customers that can help them, today.
    I hope all this helps. Thanks again, and let us if you have further questions. My email is ghrncir@mosso.com.
    Greg Hrncir (ghrncir@mosso.com)
    Director of Operations
    Mosso | The Rackspace Cloud"
    Anyone with more questions can also feel free to reach out to me.
    Emil Sayegh,
    General Manager
    Mosso | The Rackspace Cloud
    (esayegh@mosso.com)

  3. March 15th, 2009 at 08:38 | #3

    Emil:
    I appreciate your comments. I also appreciate the marketing efforts that went in to this announcement, but I respectfully suggest that our definitions of "transparency" given the "simplexity" of the solution presented by The Spreadsheet Store example are not congruent.
    Clearly we agree about the hybrid nature of Cloud and its benefits, but we're going to end up with Clouds on Clouds on Clouds and while you're piece of the pie may "enable" (in your words) PCI compliance, it's really just one move in a complex shell game of attempting to reassign/transfer risk.
    This isn't YOUR shell game, you're just playing it, but while you provide an excellent service that I happen to like very much, what exactly have you done with Cloud Sites from a service delivery and technology perspective that someone else could not by simply redirecting the credit card in-scope data from touching their resources?
    Is it really that you're just the first to point out the obvious or can you explain more about how this is so markedly different from everyone else?
    I'm NOT trying to be antagonistic, but if we're going to discuss this, I'd like to distill it down for my readers.
    /Hoff

  4. March 15th, 2009 at 09:55 | #4

    Just because the site isn't *storing* cc info, doesn't mean it is out of scope for PCI. If they store, transmit or process the cc data, surely the site is in scope? That means that if they use (say) auth.net's simple checkout where the user enters their cc into the auth.net server, they are out of scope, but if they host a form that returns to their server and then calls auth.net using AIM, their website is IN scope.
    Could you clarify whether the site you're mentioning is using simple or advanced integraiton (do they host the cc page and transmit the cc data to auth.net)? If so, it also seems to me that the press release is saying that they helped them to pass the approved scanning process which is only one of the requirements for actually being PCI compliant if the site is in scope.
    Looking forwards to learning more!

  5. Bret Piatt
    March 15th, 2009 at 10:08 | #5

    You can use SIM with Cloud Sites, not AIM. A good part of the reason for marketing this is to help drive awareness in the merchant community of easier ways to solve PCI so they can do what they want — sell merchandise.
    Right now a large portion of the merchant community believes either (a) you use some sort of shared storefront offering like Yahoo! Stores, Volusion, Amazon, eBay, or (b) you have to go build an expensive dedicated environment that contains all of the controls for a Type 5/SAQ D environment.
    We want to help educate that you can have a flexible and scalable front end web architecture and a use a payment partner for the cardholder data giving you the majority of the benefits of a dedicated Type 5 environment without much of the direct expense.
    We're going to continue adding security into the cloud as the scalability, speed, and stability allow. Without the latter 3 Ss I'm not sure if anyone cares if it has super duper security features.
    Bret Piatt
    Rackspace Hosting

  6. March 15th, 2009 at 10:36 | #6

    @Chris – thanks for the link love and kind words – much appreciated. Let me know when your @source Boston preso/recording is available – from the feedback I've heard so far, it sounds really good and I'd like to ensure my readers get to see it.

  7. March 16th, 2009 at 10:30 | #7

    I just wanted to say that from a business perspective, Mosso's solution is a perfect fit for us.
    Truth be told, we previously used a hybrid solution like the one we are using at Mosso with a dedicated server. From our perspective, this was an expensive solution that was not scalable and required us to maintain the server ourselves, as well as pay for excess capacity.
    While Mosso's solution may not be appropriate for large enterprises, it works for us. The stumbling block we encountered with our desire to move into cloud hosting was passing the vulnerabilty scans. Mosso's platform let us do that.
    It is true that the technology is not new. I think what is new is that we asked Mosso to "fix" the vulnerabilities found in our ASV scans and they worked with us to do so. They also detailed a specific set of steps for other e-commerce merchants to follow in order to pass the scans and become compliant.
    Previously, from a business perspective there was a thought that one had to use a dedicated server (even if using a hybrid solution like the one described by Mosso) in order to pass the ASV scans AND allow for some level of scalability and traffic spikes. This solution provided by Mosso let us move from a dedicated solution to a more cost-effective and scalable one.
    It may not be a new technology but the ability to use some solution other than a dedicated server was new for us from a business standpoint.
    Best regards,
    Philip Murphy
    VP Operations
    The Spreadsheet Store

  8. March 17th, 2009 at 02:20 | #8

    @Philip Murphy

    Phillip:

    Thanks very much for the comment.

    I don't doubt the business case and support you've received from Mosso as certainly it reflects the value of the Cloud. What is important to us security wonks is that we make absolutely clear that when a provider suggests they "enabled" PCI compliance, that we clarify what that means.

    We're slightly allergic to that sort of language in our world: "Buy our product/service and BAM! You're compliant."

    Mosso has every right to market as they see fit, but we're going to call a spade a spade here.

    I am thrilled that Mosso gives you excellent service and value, but some of the messaging here is suspect.

    Thanks again for commenting.

    /Hoff

  9. PhilA
    March 19th, 2009 at 21:14 | #9

    Educate me here, how should Mosso/RackSpace word their pitch to not entice this response?

    Many of the cloud providers are headed towards their marketing approach.

  1. August 26th, 2009 at 02:20 | #1
  2. August 24th, 2010 at 23:31 | #2
  3. November 1st, 2010 at 15:54 | #3