Is it easier to comply with PCI-DSS while using Cloud services ?

The distributed architectures of cloud environments add layers of technology and complexity that challenge traditional assessment methods. As a result, it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.

Examples of compliance challenges include but are not limited to the following:

1. Customers may have little or no visibility into the Provider’s underlying infrastructure and the related security controls, which makes it difficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.
2. Customers may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high-availability reasons, data could be stored in multiple locations at any given time.
3. It can be difficult to determine an appropriate sample size for dynamic, rapidly changing cloud environments and processes (for example, cloud-bursting, continual deployment and termination of virtual machines, dynamic IP addressing and so on).
4. Some virtual components do not have the same levels of access control, logging and monitoring as their physical counterparts.
5. Perimeter boundaries between Customer environments can be fluid.
6. Public cloud environments are usually designed to allow access from anywhere on the internet.
7. It can be challenging to verify who has access to cardholder data processed, transmitted or stored in the cloud environment.
8. It can be challenging to collect, correlate and archive all the logs necessary to meet applicable PCI DSS requirements.
9. Organizations using data-discovery tools to identify cardholder data in their environments, and to ensure that such data is not stored in unexpected places, may find that running such tools in a cloud environment can be difficult and result in incomplete results. It can be challenging for organizations to verify that cardholder card data has not “leaked” into the cloud.
10. Not all services offered by a Provider may be included in the Provider’s PCI DSS compliance validation. Many Providers might not support the right to audit for their Customers.

These challenges will affect a number of factors related to how PCI DSS compliance is managed, including how segmentation is implemented, how PCI DSS assessments are scoped, how individual PCI DSS requirements are validated and which party will perform particular validation activities.

At a high level, Cloud providers can be identified as those that have been validated as meeting a particular level of PCI DSS compliance and those that have not.

The recommended practice for Customers with PCI DSS considerations is to work with Providers whose services have been independently validated as being PCI DSS compliant and have mechanisms available to Customers to attain such evidence.