{"id":1699,"date":"2011-12-12T00:00:00","date_gmt":"2011-12-12T00:00:00","guid":{"rendered":"http:\/\/otava.test\/risk-assessments-to-achieve-pci-compliance-in-the-cloud\/"},"modified":"2025-05-28T21:09:27","modified_gmt":"2025-05-28T21:09:27","slug":"risk-assessments-to-achieve-pci-compliance-in-the-cloud","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/risk-assessments-to-achieve-pci-compliance-in-the-cloud\/","title":{"rendered":"Risk Assessments to Achieve PCI Compliance in the Cloud"},"content":{"rendered":"\n

One of the main concerns with cloud computing<\/a> is security – when it comes to national industry security compliance standards such as PCI DSS or HIPAA<\/a>, additional precautions must be taken in order to protect confidential data during transmission. While PCI compliance calls for very specific requirements to protect customer cardholder data, it is possible to remain compliant while using the cloud.<\/p>\n\n\n\n

The PCI Security Council (PCI SSC) recently released<\/a> a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.<\/p>\n\n\n\n

According to Onestopclick.com\u2019s article on PCI Compliance and the Public Cloud<\/em>, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud<\/a>, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.<\/p>\n\n\n\n

As a result, the PCI SSC states the burden of PCI compliance falls upon the cloud provider and their own controls and assessment of their own environment\u2019s compliance. When searching for a PCI compliant hosting<\/a> provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant\u2019s own responsibility.<\/p>\n\n\n\n

The PCI SSC also recommends conducting a risk assessment<\/strong> of their virtual environments to comply with PCI standards, including the following key elements:<\/p>\n\n\n\n