Skip to the main content.

2 min read

Non-Compliance Lesson No. 4: Keep your head in the cloud when adopting new technologies

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

  • Trust the vendor’s sales team that their sexy new tech is different and doesn’t need to comply
  • Don’t do your due diligence on the potential security impact or access to sensitive information
  • Act surprised when your QSA asks for the attestation of compliance (AoC) and PCI responsibility matrix for you new friends service providers or other evidence their solutions supports your compliance
  • Exercise your right to audit clause (if you have one), and include your service providers inside your annual assessment at your cost
  • Hope their compliance doesn’t rely upon a “secret sauce”
  • Enjoy explaining to senior management why your assessment is delayed or worse
  • New is sexy and different and the old rules just shouldn’t apply

Don’t get us wrong, many new technologies are great and can really improve security.  Much of it leverages cloud technologies. But just because it’s new and sexy doesn’t mean it gets a pass on PCI DSS.  Products and services must be fit for purpose and that includes supporting your regulatory obligations.  Many of these solutions directly impact security or may even access cardholder data. Here are some considerations for your due diligence:

  • Shifting from on-premise products to off-premise third-party services.
  • Offloading data for analysis
  • Managing anything that can impact security
  • New approaches must still comply, if they don’t do things the traditional way then they are obligated to document and prove how they meet these requirements

Some examples: next generation anti-virus and endpoint defense.

Learn More

Seriously, if you want your assessment to be smooth and boring you may find these articles useful.

If you'd like more entertaining reads, try these:

If You Need Help

Compliance can seem as dry as toast. Normally, it only gets exciting when things go wrong like when you find problems during an annual assessment, facing a looming deadline, with senior management breathing down your neck expecting a pass. Last minute discovery of problems gets extremely stressful. Failure becomes an option. Remediation is not guaranteed and can often be risky, sub-optimal, and expensive.

PCI DSS has 12 high-level requirements and over 250 sub-requirements each of which is an opportunity for failure. The kinds of challenges we describe are often avoidable and manageable. After all, PCI is an open book exam and there should be no excuse for not being prepared. If you are struggling with business-as-usual compliance, or have challenges, we can help.


Control Gap Vulnerability Roundup: August 6th to August 12th

This week saw the publication of 576 new CVE IDs. Of those, 80 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More

This Week's [in]Security - Issue 280

Welcome to This Week’s [in]Security. PCI FAQs. Crypto-research: the PQC demo derby, more SIDH attacks. New breaches: Twillo, Cisco, Shanghai, ipay88,...

Read More

Control Gap Vulnerability Roundup: July 30th to August 5th

This week saw the publication of 449 new CVE IDs. Of those, 315 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More