• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Cloud Computing and PCI Compliance
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cloud Computing and PCI Compliance

  • Subject: Re: Cloud Computing and PCI Compliance
  • From: Q <email@hidden>
  • Date: Sun, 22 Aug 2010 08:30:55 +1000

On 22/08/2010, at 7:48 AM, Simon wrote:

yeah, we've done a few of those self assement things, and we could answer yes to everything with amazon.

i guess there is some confusion about cloud computing rather than pci compliance. those questionnaires are all fussed about patching policies, root access, firewalls etc. with amazon you get all of that. it's not this big cloudy thing that you have zero control over..

You cannot possibly answer Yes to all the self assessment questions when exclusively using Amazon cloud services for card processing because a bunch of the questions are about the physical security of the data and unless Amazon can provide you with a guarantee of PCI compliance then you cannot answer Yes.

For example you cannot guarantee that an unscrupulous employee at amazon cannot access, intercept or otherwise alter any of your  "compliant" systems without detection because it involves physical (or virtual in this case) access and audit control guarantees that Amazon do not provide (in fact they explicitly state the exact opposite in the usage agreement).

To be compliant you would need to do your card processing elsewhere that can provide such a guarantee.

Simon

On 21 August 2010 22:15, Miguel Arroz <email@hidden> wrote:
Hi!

  PCI compliance is way more complex than simply passing the port-scan and automated tests. I don't recall all the details, but you have to answer a self-assessement form, and in that form I think they ask some stuff that can't be answered "Yes" if you are using Amazon (or any other cloud service).

  On the other hand, some of those questions have a very vague interpretation, and others are just plain stupid (like asking if you have an anti-virus installed on all your company computers, or asking if you have a proper configured firewall, whatever that means). I'm not defending PCI here, just saying you can get burned.


That's what the compensating controls section is for. The questions have an underlying risk that they try to protect against. In the case of antivirus software, it is to prevent the surreptitious installation of malicious or otherwise unauthorised software on your systems. If you can provide this security by other means then you detail it as a compensating control.



-- 

Seeya...Q


Quinton Dolan - email@hidden

Gold Coast, QLD, Australia (GMT+10)





 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Cloud Computing and PCI Compliance
      • From: Simon <email@hidden>
    • Re: Cloud Computing and PCI Compliance
      • From: Miguel Arroz <email@hidden>
References: 
 >Cloud Computing and PCI Compliance (From: Kieran Kelleher <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Miguel Arroz <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)

  • Prev by Date: Re: Cloud Computing and PCI Compliance
  • Next by Date: Re: Cloud Computing and PCI Compliance
  • Previous by thread: Re: Cloud Computing and PCI Compliance
  • Next by thread: Re: Cloud Computing and PCI Compliance
  • Index(es):
    • Date
    • Thread