Protecting Payments in the Cloud

11/7/2011
From the 2011 PCI in Hospitality Report. Click here to download the complete report.
 
Cloud-based solutions offer hospitality operators the opportunity to lower their IT costs as well as the flexibility to quickly scale deployments up or down, making them attractive options for many CIOs. Still, these CIOs – who will be held responsible if sensitive data goes astray or mission-critical IT systems crash once too often – also want to be sure any cloud-based, virtual or SaaS (Software as a Service) solution they implement is as sound, safe and secure as possible.
 
Rigors of the cloud
The PCI Security Standards Council's Data Security Standards Virtualization Guidelines, published in June 2011, provide detailed information on questions merchants should ask and the steps they should take to maximize their security in both virtual and cloud environments.
 
These include ensuring that the scope of the cloud provider’s Payment Card
Industry Data Security Standards (PCI DSS) review is sufficient, and that all controls that are relevant to the hosted entity’s environment and are within the scope of required PCI compliance have been assessed and determined to indeed be PCI DSS-compliant. In addition, hospitality operators should demand to see evidence of what was included in the provider’s PCI DSS assessment, as well as what was not in scope.
 
The PCI guidelines also note that additional controls are necessary for public clouds in order to compensate for inherent risks and lack of visibility in their infrastructures. Public clouds take advantage of massed servers to lower all participants’ costs and are essentially available to anyone; Amazon Web Services is the best-known example of such a public cloud. Private clouds are maintained by a single organization, and there are also public/private hybrids.
 
“A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment (CDE), "according to the PCI guidelines. “More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.”
 
The Council acknowledges that challenges of this type may render it impossible for certain cloud-based services to operate in a PCI-compliant manner, placing the burden for providing proof of PCI DSS compliance for a cloud-based service primarily on the shoulders of the cloud providers. It recommends that merchants should, in turn, accept such proof only if the provider can share “rigorous” evidence that adequate controls have been put into place.
 
Reliability concerns
Merchant’s concerns about cloud security also extend to the reliability of cloud services themselves, and whether such mission-critical applications as POS transaction processing can continue uninterrupted should a failure occur. A recent disruption of Amazon’s public cloud, which received a considerable amount of coverage in the media, has served to keep the issue of reliability in the spotlight.
 
Some cloud providers have begun to tout uptimes in the neighborhood of
99.99% for mission-critical applications, and supporters of migration to the cloud have been quick to point out that utilizing multiple servers and data centers, as in a cloud scenario, allows merchants to attain higher redundancy levels than would be possible were they to rely on a single enterprise-operated data center.
 
Nonetheless, as even these proponents concede, no IT architecture can guarantee full 100% uptime. For this reason, hospitality operators need management tools that enable real-time visibility into the dependent linkages between the virtual and physical world so that they are able to proactively identify potential failures and have the capability to immediately assess the impact to the overall services being delivered.
 
According to Managing Virtualized Applications: Optimizing Dynamic Infrastructures, an April 2011 Aberdeen Research report, senior research analyst Dick Csaplar writes that when a server begins to fail, retailers must be able to determine whether it can “go down without materially degrading service quality, or do the virtual workloads need to be migrated elsewhere immediately?

With “the management challenges that inherently come” with a cloud-based environment, he continues, “making sure the right processes and management software are in place during deployment is critical to an organization’s…long-term success.”

For more insights from the 2011 PCI in Hospitality Report¸ including updates from the industry associations that are pushing for a complete overhaul of PCI, click here.
X
This ad will auto-close in 10 seconds