PCI and Cloud Q&A – Are You Compliant?

Part two of our Dell Private Cloud Services Fall Blog Series focuses on PCI compliance.  Due diligence is an important step in choosing a cloud service provider to host your PCI workloads.  Ultimately, the task of being PCI compliant comes down to the individual organization or merchant, so knowing what to look out for is crucial.  I’m fortunate to have the opportunity to meet with Grant Pederson, Program Management Consultant – Dell Cloud Compliance, and discuss the questions you should ask before deciding where to house your protected information.  Grant also highlights what sets Dell apart in the PCI cloud marketplace.

For those new to PCI and Dell Private Cloud Services, here’s a cliff notes-style overview.  Organizations that process payment card data including credit, debit, prepaid, ATM and other payment card transactions are subject to the Payment Card Industry Data Security Standard (PCI DSS).  The current PCI DSS version 2.0 sets minimum security requirements for the handling of this data in the cloud.  Becoming familiar with these requirements is an important step in creating a cloud PCI compliance roadmap.

Dell is a Level 1 PCI DSS 2.0 service provider with its Dell Cloud Dedicated Service and is a secure cloud platform for conducting financial transactions in financial services, retail, higher education, healthcare and related sectors.  Now let’s see what Grant has to say on this important matter.

Jeremy: Hi Grant.  Tell me a little about yourself and your role at Dell.

Grant: I am responsible for the implementation and sustainment of Dell’s Private Cloud Information Security and Compliance program.  I hold CISSP and CISA certifications and have 13 years of experience in information security and risk management operations and consulting in banking, defense, critical infrastructure and cloud industries as well as Big 4 public accounting IT audit experience with EY.

Jeremy: Excellent.  So you’ve been around the block a few times.  Given this experience, what is the first thing to look for when considering cloud and PCI? 

Grant: It’s critically important to understand what your organization does vs. the service provider, aligned to the DSS guidelines.  The lines of accountability and responsibility will be different for each service provider and deployment model. These differences will impact the responsibility for implementation, operation and management of security controls. 

Jeremy: So if DSS cloud guidelines define these roles, where is Dell differentiated as a PCI service provider?

Grant: With Dell, a secure cloud infrastructure is the foundation of our business and what sets us apart from most service providers. The entire cloud infrastructure supporting our customers’ critical workloads is secured by Dell SecureWorks. All security systems are monitored and managed 24x7x365 giving us incredible visibility and awareness of what is going on in the environment and the ability to mitigate threats in real-time.

Where we really differ from other cloud service providers is in our ability to provide the Dell SecureWorks managed security services to our cloud customers.  Dell SecureWorks security experts and proprietary technologies offer our cloud customers a level of protection unavailable with any other service providers.  Entities regulated by PCI DSS know how costly data loss events can be in terms of monetary fines, loss of reputation, loss of customer trust, forensic investigations and litigation. The most effective way to avoid these penalties is to prevent data loss in the first place by teaming up with the leaders in security and data protection.

Jeremy: Given the severity of non-compliance, I can imagine some companies would be hesitant to host PCI data in the cloud.  What are the justifications to going ahead and doing so?

Grant: There are many justifications for moving workloads to the cloud. Cost savings, lower capital expenditures, better performance and uptime to name a few. Plus, with ever-increasing interest in online shopping and trends in industries like healthcare to make the majority of information electronic, a wide variety of organizations and merchants will find themselves involved with cloud computing and having to ensure PCI compliance as part of that.  My job is to make sure that when they do, they are also increasing the security around their critical information. As you know, data security is a major concern for companies considering bringing their workloads to the cloud. At Dell, we want the security of your information to be a major reason you become a customer rather than an area of concern.

Jeremy: Thanks Grant.  Why is Dell a great choice for PCI hosting?

Grant: As I stated, Dell’s cloud infrastructure is monitored and protected by Dell SecureWorks 24x7x365 from those with bad intentions. Their suite of security solutions are managed by thoroughly trained and certified security professionals.  Many cloud service providers will attempt to implement these critical security monitoring controls using internal personnel that lack the appropriate training and expertise to be truly effective.  Dell Cloud Dedicated Services’ tight integration with the Dell SecureWorks Security Operations Center means security events across all cloud systems and environments are visible to the same correlation engines and the same highly-trained security staff who know how to respond and mitigate potential security events at a moment’s notice.  Dell SecureWorks also offers value-added services such as PCI Scanning which further protect organizations hosting PCI data in the cloud.

Jeremy: One last question.  What has Dell done to provide PCI assurance?

Grant: Dell has carefully scoped and documented all PCI DSS compliance responsibilities in a way that provides our customers with compliance coverage for all cloud infrastructure components managed by us. Dell’s PCI Compliance Scoping documentation can be presented to your Qualified Security Assessor (QSA) along with the Dell Cloud Dedicated Service Attestation of Compliance or Report on Compliance (ROC) to provide assurance that all cloud infrastructure system components supporting your PCI workloads are properly protected and compliant with PCI DSS.

I hope this brief interview has shed some insight into the growing importance of PCI in the cloud and how your organization can better prepare for compliance.  To learn more about what Dell is doing to help private cloud customers reach their business goals, please read part one in this series and the related press release.  And stay tuned for more private cloud services information during the rest of October. 

About the Author: Jeremy Greening