PCI compliance testing is not uniform, and therefore PCI compliant labels are not uniform in meaning either. Sometimes cloud providers don’t understand what PCI compliance really means, or what it means beyond their own responsibility. This article references common warning flags that a cloud provider isn’t up to speed on what true PCI compliance means.
Denver, CO, October 26, 2012 – Matching Labels Do Not Mean Matching Results
As already mentioned, PCI compliance testing is not uniform, and therefore PCI compliant labels are not uniform in meaning either. The label can actually refer to a variety of very different things.
“This makes some cloud implementations very hard to both compare and to measure,” says Dahn.
He says this particular prickly patch is all too familiar to accountants and auditors who incur a similar dissonance in an SSA 16 or SAS-70 report, wherein the service provider defines what “control objectives” they wish the auditor to test. This means no two audits are the same even if the end scores appear to make them equal.
This same confusing methodology applies to PCI compliance.
“This means that I could hire a PCI QSA to assess my ‘IaaS cloud’ with just a base operating system with no security services provided. Although the customer can enable security services, such is not part of the test,” says Dahn. “The cloud provider could get listed as a PCI compliant service provider ‘based on the service being offered/assessed.'”
“Another IaaS cloud provider could submit the same [base operating system] plus file-integrity monitoring installed to be tested,” says Dahn. “It, too, would get assessed and listed alongside the first [provider] ‘based on the service being offered/assessed.'”
Obviously the two vendors tested in this scenario are not equal nor are their claims of PCI compliance even though both are technically compliant. Ultimately, this disparity means you cannot easily compare PCI compliant claims between two or more cloud providers.
The quickest way to get to the bottom of this problem is to ask cloud providers to precisely itemize what “service being offered/assessed” passed the PCI compliance testing. Make sure you understand the answer fully and ask more questions as needed until you do.
“I advise individuals to create a list of all PCI DSS requirements, and then ask the service provider to mark which applies under one of three columns,” says Dahn.