PCI Security Standards Council Publishes Guidelines on Cloud Computing

Meeting with acquirers and payment technology leaders this week at the TRANSACT conference, the PCI Security Standards Council (PCI SSC) announced new PCI SSC Cloud Computing Guidelines. Developed in collaboration with more than 100 global organizations representing banks, merchants, security assessors and technology vendors, the guidance identifies and addresses security challenges for different cloud architectures and models to help companies understand security considerations when implementing these solutions.

“Since we first released guidance for cloud environments in 2013, we’ve seen a tremendous growth in adoption of these services as well as the introduction of additional features such as fog computing, desktop-as-a-service and other uses for cloud,” said PCI SSC Chief Technology Officer Troy Leach. “With the increased use of third-party services comes a dependency to better understand business and technical issues that may impact payment data and associated processing. The new PCI SSC Cloud Computing Guidelines aims to help all parties involved to understand how best to mitigate potential risk and collaborate on the shared responsibility for protecting payment data.”

Developed by a PCI SSC Special Interest Group, the guidance is an update to guidelines published in 2013. The latest version includes expanded recommendations on incident response and forensic investigation as well as new guidance on vulnerability management. It provides scenarios of different cloud technologies and outlines how these various technologies can impact compliance. The information in this document is intended for merchants, service providers, assessors and other entities looking for guidance on how the use of cloud computing may affect PCI DSS implementations.

The PCI SSC Cloud Computing Guidelines is available for download on the PCI SSC website here.

PCI SSC Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Security Standards and supporting programs. PCI Participating Organizations selected cloud computing as a key area to address via the SIG process. More than 100 global organizations representing banks, merchants, security assessors and technology vendors collaborated on this guidance. As with all PCI SSC information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.