This page contains a Flash digital edition of a book.
PCI Compliance Daniel Beazer


CLOUD FACTS Qualifi ed Security


Assessor (QSA) companies are organisations that have been qualifi ed


by the Council to have their employees assess compliance to the PCI DSS standard. Qualifi ed Security Assessors are employees of these organisations who have been certifi ed by the Security Standards Council to validate a company’s adherence to the PCI DSS.


to the place where the data is stored’) and require- ment 12 (‘Maintain a policy that addresses information security for employees and contractors’) while leaving out many of the more technical, and useful to cus- tomer, controls like anti-virus, system patching and log management. The result is that the provider is then considered PCI compliant, without changing a single feature of its product set, and can market its services as such. In addition, the current validation document, the Attestation of Compliance or AOC, does not cur- rently provide a way to differentiate between hosters who have taken a minimalist approach versus those that have had more of their services validated. We expect the types of people and organisa-


tions wanting a PCI compliant hosting solution to have the suffi cient business acumen and common sense to see through the current validation muddle. However, in practice this often means that provider claims are not scrutinised in the way they should be. The anecdotal evidence is that customers who are lulled into thinking that the compliance box has been ticked are not too happy when they fi nd out that they are on their own for a large majority of the requirements.


ACQUIRING A MEANINGFUL PCI SERVICE Given the potential pitfalls, how can an eCommerce


business, and its website, ensure it has a provider that actually offers a functional PCI service versus one that just piggy backs off a data centre certifi cation? The answer is actually surprisingly straightforward, but sometimes diffi cult to achieve and is to simply request the ‘Scoping’ section from the provider’s Report on Compliance (ROC). The ROC is the formal report for the assessment and the ‘Scoping’ section should


www.cloudcomputingintelligence.com


detail exactly what was included, and perhaps more importantly, excluded, from the assessment. In some cases the Qualifi ed Security Assessor (QSA) will even provide a list of the PCI DSS requirements that a customer of the service provider can rely on in this section.


If you can’t get access to these documents, you may never know exactly how well your provider is cov- ering you in terms of PCI compliance, but this doesn’t mean you can’t work out a rough idea of where you stand. If the service provider is unwilling to share this information with you and is vague or evasive regarding exactly which DSS controls they take responsibility for, it’s a safe bet that they have taken the minimal- ist approach and aren’t validated for anything beyond portions of requirements 9 and 12.


It’s worth remembering that marketing ma- neuvers and tricks played with PCI can be done with just about any standard. It is vital therefore, that any organisation processing credit card information must be extra vigilant when it comes to checking cloud providers’ compliancy credentials.


35


ABOUT THE AUTHOR Daniel Beazer


Beazer has an extensive history of research and strategy with hosting and cloud organisations. He worked as European counsel and general manager UK for Internap, and was responsible for its Network Services’ European business. In this position, he helped to launch the company’s data centre while heading its expansion into continental Europe. After time spent with Internap, Beazar was selected as a European Analyst for Tier1 Research where his areas of research spanned cloud computing, hosting, CDN, and datacentre markets. He is currently director of strategy at FireHost, where he oversees interactions with enterprise and strategic customers.


January 2013 CCI Magazine


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68