The Schellman Blog

The media has been filled with stories of high profile credit card breaches, including those from Target, Neiman Marcus, P.F. Chang’s and most recently Home Depot. Details on the Home Depot breach are still emerging, but the details around the Target and Neiman Marcus breaches are well known and causing the public to ask if it will happen again?

If your business has been flagged as needing a PCI DSS assessment because you're classified as a "Merchant Level 2" (or Level 1, 3, or 4), you're probably wondering: What does that actually mean? And more likely, what’s the difference between these levels, anyway?

By Eric Sampson and Doug Barbin In a previous article, we provided a summary of the key components of the PCI DSS Cloud Computing Guidelines (“cloud supplement”). That article focused on roles, responsibilities, agreements, and audit considerations. This article speaks more to the technical considerations.

The writing is on the wall. For many businesses, cloud providers are becoming a key component of IT and business strategies, service delivery capability and scalability, innovation, and delivering new service models and solutions to market. For merchants and service providers that store, process, or transmit cardholder data, the PCI DSS provides the requirements necessary to ensure a secure and compliant cardholder data environment. Until recently, guidance was limited to the interpretation of existing PCI standards, which never fully accounted for today’s evolving cloud computing models. The release of the PCI DSS Cloud Computing Guidelines (“cloud supplement”), attempts to align core PCI goals with a better understanding of cloud provider and cloud customer (“tenant”) responsibilities to maintain a compliant cloud-hosted cardholder data. Schellman had the privilege of participating in this group. The document is, by default, supplementary and as with all PCI supplements does not supersede, replace, or extend the PCI DSS requirements. In fact, the cloud supplement states they are provided especially to “[present] recommendations for starting discussions about cloud services” in giving cloud providers and tenants a point of discussion for approaching their individual roles and responsibilities in meeting the PCI DSS requirements.” In the cloud supplement, the SSC describes the following important areas, to name a few, for understanding provider and client relationships: