Date: April 2018 Author: Cloud Special Interest Group PCI Security Standards Council Information Supplement: PCI SSC Cloud Computing Guidelines Information Supplement • Cloud Computing Guidelines • April 2018 Document Changes Date Version Description February 2013 2.0 Initial publication of PCI DSS v2.0 Cloud Computing Guidelines, produced by 2013 Cloud SIG. April 2018 3.0 Updated PCI SSC Guidelines for Secure Cloud Computing, produced by 2017 Cloud SIG. Changes include: • Restructure of the document for better flow (e.g., consolidation of Sections 6.3 and 6.4, and moving Section 6.5 to Appendix E). • Updated guidance on roles and responsibilities, scoping cloud environments, and PCI DSS compliance challenges. • Expanded guidance on incident response and forensic investigation. • New guidance on vulnerability management, as well as additional technical security considerations on topics such as Software Defined Networks (SDN), Containers, Fog Computing and Internet of Things (IoT). • Standardized terminology throughout the document. • Updated references to PCI SSC and external resources. • Minor grammatical updates. The intent of this document is to provide supplemental information. Information provided here i does not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Cloud Computing Guidelines • April 2018 Table of Contents Document Changes .................................................................................................................................................. i 1 Introduction ........................................................................................................................................................ 1 1.1 Intended Audience ........................................................................................................................................ 2 1.2 Terminology................................................................................................................................................... 2 1.3 Summary of Recommendations .................................................................................................................... 3 2 Cloud Overview .................................................................................................................................................. 5 2.1 Cloud Deployment Models ............................................................................................................................ 5 2.2 Cloud Capabilities Types and Cloud Service Categories ............................................................................. 6 3 Cloud Provider/Customer Relationships ........................................................................................................ 8 3.1 Understanding Roles and Responsibilities ................................................................................................... 8 3.2 Roles and Responsibilities for Different Cloud Deployment Models............................................................. 8 3.3 Responsibilities for Different Cloud Service Categories ............................................................................... 9 3.4 Nested Service Provider Relationships ....................................................................................................... 11 4 PCI DSS Considerations ................................................................................................................................. 13 4.1 Understanding PCI DSS Responsibilities ................................................................................................... 13 4.2 PCI DSS Responsibilities for Different Cloud Service Categories .............................................................. 13 4.3 Understanding Responsibilities of Security as a Service (SECaaS) .......................................................... 16 4.4 Segmentation Considerations ..................................................................................................................... 16 4.4.1 Segmentation Challenges .................................................................................................................... 17 4.4.2 Segmentation Responsibilities ............................................................................................................. 18 4.4.3 Segmentation Technologies ................................................................................................................. 18 4.5 Scoping Considerations .............................................................................................................................. 19 4.5.1 Security of Cloud Service Customer Systems ...................................................................................... 21 4.5.2 Scoping Examples for Different Cloud Deployment Models ................................................................ 22 5 PCI DSS Compliance Challenges ................................................................................................................... 26 5.1 What Does It Mean When a Provider States, "I Am PCI DSS Compliant"? ............................................... 27 5.2 Verifying the Scope of PCI DSS Validated Services and Components ...................................................... 27 5.3 Verifying PCI DSS Controls Managed by the Cloud Service Provider ....................................................... 28 6 Security Considerations ................................................................................................................................. 31 6.1 Governance, Risk and Compliance ............................................................................................................ 31 6.1.1 Risk Management ................................................................................................................................. 31 6.1.2 Due Diligence ....................................................................................................................................... 32 6.1.3 Service Level Agreements .................................................................................................................... 32 6.1.4 Business Continuity Plans and Disaster Recovery .............................................................................. 33 6.1.5 Human Resources ................................................................................................................................ 33 6.2 Facilities and Physical Security ................................................................................................................... 33 6.3 Data Security Considerations ...................................................................................................................... 34 The intent of this document is to provide supplemental information. Information provided here ii does not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Cloud Computing Guidelines • April 2018 6.3.1 Data Acquisition .................................................................................................................................... 34 6.3.2 Data Storage and Persistence .............................................................................................................. 36 6.3.3 Data Usage ........................................................................................................................................... 36 6.3.4 Sharing Data ......................................................................................................................................... 36 6.3.5 Decommissioning and Disposal ........................................................................................................... 36 6.4 Incident Response and Forensic Investigation ........................................................................................... 37 6.4.1 Incident Response ................................................................................................................................ 37 6.4.2 Forensics Investigation ......................................................................................................................... 37 6.4.3 Breach Notification ............................................................................................................................... 38 6.5 Vulnerability Management ........................................................................................................................... 39 6.5.1 Web Application Vulnerability Testing .................................................................................................. 40 6.5.2 Network Vulnerability Scanning ............................................................................................................ 40 6.5.3 Penetration Testing .............................................................................................................................. 41 6.5.4 Notification of Testing ........................................................................................................................... 42 Appendix A: Sample PCI DSS Responsibilities for Different Cloud Service Categories ............................... 43 Appendix B: Sample Inventory ............................................................................................................................. 49 Appendix C: Sample PCI DSS Responsibility Management Matrix .................................................................