I kicked off a bit of a dust storm some months ago when I wrote a tongue-in-cheek post titled "Please Help Me: I Need a QSA to Assess PCI/DSS Compliance In the Cloud." It may have been a little contrived, but it asked some really important questions and started some really good conversations on my blog and elsewhere.
At
SourceBoston I sat in on Mike Dahn's presentation titled "
Cloud Compliance and Privacy" in which he did an excellent job outlining the many issues surrounding PCI and Compliance and it's relevance to Cloud Computing.
Shortly thereafter, I was speaking to Geva Perry and James Urquhart on their "
Overcast" podcast and the topic of PCI and Cloud came up.
Geva asked me if after my rant on PCI and Cloud if what I was saying was that one could never be PCI compliant in the Cloud. I basically answered that one could be PCI compliant in the Cloud depending upon the services used/offered by the provider and what sort of data you trafficked in.
Specifically, Geva made reference to the latest announcement by Rackspace regarding their
Mosso Cloud offering and PCI compliance in which they tout that by using Mosso, a customer can be "PCI Compliant" Since I hadn't seen the specifics of the offering, I deferred my commentary but here's what I found:
Cloud Sites, Mosso|The Rackspace Cloud’s Flagship offering, is officially the very first cloud hosting solution to enable an Internet merchant to pass PCI Compliance scans for both McAfee’s PCI scans and McAfee Secure Site scans.
This achievement occurred just after Computer World published an article where some CIO’s shared their concern that Cloud Computing is still limited to “things that don’t require full levels of security.” This landmark breakthrough may be the beginning of an answer to those fears, as Mosso leads Cloud Hosting towards a solid future of trust and reliability.
Mosso's blog featured an example of a customer -- The Spreadsheet Store -- who allegedly attained PCI compliance by using Mosso's offering. Pay very close attention to the bits below:
“We are making the Cloud business-ready. Online merchants, like The Spreadsheet Store can now benefit from the scalability of the Cloud without compromising the security of online transactions,” says Emil Sayegh, General Manager of Mosso|The Rackspace Cloud. “We are thrilled to have worked with The Spreadsheet Store to prepare the Cloud for their online transactions.”
...
The Spreadsheet Store set up their site using aspdotnetstorefront, “Which is, in our opinion, the best shopping cart solution on the market today,” says Murphy. “It also happens to be fully compatible with Mosso.” Using Authorize.Net, a secure payment gateway, to handle credit card transaction, The Spreadsheet Store does not store any credit card information on the servers. Murphy and team use MaxMind for fraud prevention, Cardinal Commerce for MasterCard Secure Code and Verified by Visa, McAfee for PCI and daily vulnerability scans, and Thawte for SSL certification.
So after all of those lofty words relating to "...preparing the Cloud for...online transactions," what you can decipher is that Mosso doesn't seem to provide services to The Spreadsheet Store which are actually in scope for PCI in the first place!*
The Spreadsheet store redirects that functionality to a third party card processor!
So what this really means is if you utilize a Cloud based offering and don't traffic in data that is within PCI scope and instead re-direct/use someone else's service to process and store credit card data, then it's much easier to become PCI compliant. Um, duh.
The goofiest bit here is that in Mosso's own "
PCI How-To" (warning: PDF) primer, they basically establish that you cannot be PCI compliant by using them if you traffic in credit card information:
Cloud Sites is not currently designed for the storage or archival of credit card information. In order to build a PCI compliant e-commerce solution, Cloud Sites needs to be paired up with a payment gateway partner.
Doh!
I actually wrote quite a detailed breakdown of this announcement for this post yesterday, but I awoke to find my buddy Craig Balding
had already done a stellar job of that (curses, timezones!) I'll refer you to his post on the matter, but here's the gem in all of this. Craig summed it up perfectly:
The fact that Mosso is seeking ways to help their customers off-load as much PCI compliance requirements to other 3rd parties is fine - it makes business sense for them and their merchant customers. It’s their positioning of the effort as a “landmark breakthrough” and that they are somehow pioneers which leads to generalisations rooted in misunderstandings that is the problem.
Next time you hear someone say ‘Cloud Provider X is PCI compliant’, ask the golden PCI question: is their Cloud receiving, processing, storing or transmitting Credit Card data (as defined by the PCI DSS)? If they say ‘No’, you’ll know what that really means…marketecture.
There's some nifty marketing for you, eh?
--
* Except for the fact that the web servers housed at Mosso must undergo regularly-scheduled vulnerability scans -- which Mosso doesn't do, either.
Recent Comments