Hello.
I wonder if you might help me.
I operate an e-commerce Internet-based business that processes and stores cardholder data.
I need a QSA to assess my infrastructure and operations for PCI/DSS compliance.
Oh, I forgot to mention. All my infrastructure is in the cloud. It's all virtualized. It runs on Amazon's EC2. All my data is hosted outside of my direct stewardship. I don't own anything.
Since the cloud hides all the infrastructure and moving parts from me, I don't know if I meet any of the following PCI requirements:
I don't know if there are firewalls. I don't know about the cloud-vendor's passwords, AV, access control/monitoring, vulnerability management or security processes.
A friend told me about section 12.8, but it doesn't really apply because the "service" provider just provides me cycles and storage, I run the apps I build but I don't see any of the underlying infrastructure.
Also, I have no portability for BCP/DR because my AMI only runs on the Amazon cloud, nowhere else. I don't know who/how backups are done outside of my manifest.
I'm sure we could ask though, right?
Update: OK, this post worked out exactly as I hoped it would. On the one hand you have PCI experts who plainly point to the (contrived) example I used and rule empirically that there's no chance for PCI certification. To their point, it's black and white; either Amazon (in this example) absorbs the risk or you can't use their services if you expect to be in compliance with PCI.
Seems logical...
However, this is the quandary we're facing with virtualization and cloud computing. In terms of the companies that hire these PCI compliance experts, the assessment methodology/requirements are predicated upon a "standard" that continues to be out of touch with the economic and technological world around it. That's not the experts' fault, they're scoring you against a set of requirements that are black and white.
As companies try and leverage technology to be more secure, to transfer risk, to focus on the things that matter most and reduce costs -- if you believe the marketing -- It's really a no-win situation.
The PCI Security Standards Council doesn't even have a SIG for virtualization and yet we see the crushing onslaught of virtualization with no guidance and this tidal wave has been rushing at us for at least 3-5 years. If you believe the uptake of cloud computing, we're blindly hurdling over the challenges that virtualized internally-owned infrastructure brings and careening headlong down a path to cloud computing that leaves us in non-compliance.
The definition of what a "service provider" means and how they interact with the cardholder data companies are supposed to protect needs to be redefined.
It's time the PCI Council steps up and gets in front of the ball and not crushed by it such that the companies that would do the right thing -- if they knew what that meant -- aren't punished by an out-of-touch set of standards.