Business Organizations

Two Top Cybersecurity Organizations Issue Joint Bulletin on the Importance of Cloud Scoping

WASHINGTON–(BUSINESS WIRE)–Today the PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) issued a joint bulletin to highlight the importance of properly scoping cloud environments. The full bulletin can be viewed here.

Why Cloud Matters

The use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. This dramatic increase in use of cloud services makes sense given the many benefits cloud computing can provide to businesses large and small. Cloud computing can be used to provide customers with access to the latest technologies without a costly investment in computing resources. Because of these many benefits, investment in cloud computing is projected to be an ever-increasing priority for businesses around the world. Along with this increased use has come increased concern about security.

The Importance of Cloud Scoping to Payment Environment Security

At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When utilizing cloud security for payments, this responsibility is typically shared between the cloud customer and the cloud service provider.

Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems. Proper scoping should be a critical and ongoing activity for organizations to ensure they are aware of where their payment data is located and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which criminals can exploit. Knowing exactly where payment data is located within your systems will empower organizations to develop a game plan to protect that data.

Understanding Roles and Responsibilities

Organizations that outsource payment services to CSPs, often rely on the CSP to securely store, process, or transmit cardholder data on their behalf, or to manage components of the entity’s payment data environment. CSPs can become an integral part of the organization’s payment data environment and directly impact the security of that environment.

For too many organizations, bringing in a third party CSP for payment security services is seen as the only step necessary to securing payment data. The use of a CSP for payment security related services does not relieve an organization of ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure. Clear policies and procedures should be established between the organization and its CSP for all applicable security requirements, and measures developed to manage and report on security requirements.

Best Practices

Limiting exposure to payment data reduces the chance of being a target for criminals. Some important best practices areas of focus should be:

  • Data protection: Assure that information is protected by maximizing use of strong cryptography and key management practices, tokenization, and masking where feasible and employing robust data loss prevention solutions.
  • Authentication: Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers
  • Systems management: Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management.
  • DevOps & DevSecOps: Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
  • Data governance: With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs.
  • Resiliency: Assure that service providers take advantage of cloud’s nearly unlimited capabilities to provide redundancy for application availability and data backups.

On-the record quotes from Troy Leach, Senior Vice President, Market Intelligence and Industry Engagement, PCI Security Standards Council (PCI SSC):

“The importance of scoping payment environments and then properly security payment data and authentication credentials within cloud environments continues to be a common request from stakeholders. Based on these requests on scoping and related industry trends, we wanted to raise awareness of this important issue with our friends and colleagues from the Cloud Security Alliance (CSA) to highlight existing material that provides a wealth of guidance.”

“The use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. Understanding how to protect sensitive information such as payment data in these complex environments is critical to an organization’s success. Migration to cloud computing is projected to be an ever-increasing priority for businesses around the world. That makes security of the cloud more important than ever.”

“The use of a CSP for payment security related services does not relieve an organization of the ultimate responsibility for its own obligations to protect customer’s payment data, or for ensuring that the payment environment is secure.”

“Now more than ever, organizations need to make cybersecurity an everyday priority. Everyone needs to understand the unrelenting risk, and they need to have a plan to protect their data continuously. Proper scoping of cloud environments is a significant step in that process for organizations that utilize cloud services and associated benefits.”

On-the-record quotes from Jim Reavis, CEO of the Cloud Security Alliance (CSA):

“CSA works every day on cloud security issues and our industry is well aware of the many cyber threats aimed at cloud environments, which is fast becoming the dominant IT system. Those threats will continue to grow as more and more organizations, large and small utilize cloud services. We welcome the opportunity to work with the PCI SSC on the key topic of properly scoping cloud environments.”

“Cloud computing can be very secure when best practices are employed and all stakeholders understand their shared responsibility, which is learned through proper scoping. While companies of all sizes use the cloud, the knowledge gap is most evident with smaller businesses, which put them at risk of suffering a security incident. We are all in this together.”

“We must work together through education, training, and collaboration to effectively protect data and improve security.”

“Limiting exposure to payment data reduces the chance of being a target for criminals. Proper scoping of cloud environments is critical to achieving this goal.”

“The bulletin we are jointly issuing today should be read by those who care about data security in cloud environments. By understanding cloud and the various roles, responsibilities and best practices related to cloud security, organizations can be better prepared to guard against cyber-attacks.”

About the PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.