Flow diagram of payment card data, or personal data, in the cloud

Posted on 23 February 2013 by Admin

The recent PCI DSS Information supplement “PCI DSS Cloud Computing Guidelines” emphasizes the same message as earlier guidelines like

ISO standard “29100 Privacy Framework“
NIST SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST SP 800-122: Guidelines on Security and Privacy in Public Cloud Computing
ITU-T ITU-T Technology Watch Report: Privacy in Cloud Computing

They all emphasize that in order to protect data, one have to know where and when the data is used or stored.

Some highlights from the PCI DSS document:

Figure 3: How PCI DSS responsibilities may be shared between clients and CSPs.
Chp 4: Segmentation and Scoping
Appendices with samples:
- Appendix A: Sample PCI DSS Responsibilities for Different Service Models
- Appendix B: Sample Inventory
- Appendix C: Sample PCI DSS Responsibility Matrix
- Appendix D: PCI DSS Implementation Considerations

Related Links

PCI DSS Webinar Feb 2013 (50 min audio)
PCI DSS in the Cloud Training by CSA
- course ppt
Webinar “Decoding New PCI DSS Guidelines for Cloud Computing” by TrendMicro
Amazon PCI DSS level 1 FAQ
Auditing
- ISACA’s Personally Identifiable Information (PII) Audit/Assurance Program (G31 Privacy is withdrawn)

Other Links

OECD Privacy Guidelines

This entry was posted in Cloud Security, Privacy, Security Management, Security Standardization and Practises, Security Training, Awareness and Reports. Bookmark the permalink.

Comments are closed.