Steve

Compliance requirements definitely need to be redefined with the considerations of ever changing technology I would say. At this point even though we are speaking about PCI compliance in the cloud understanding it as “Compliance with the evolving technology” seems to be more appropriate and again this is not me taking a position but this is definitely my understanding of the ever-changing trends. Compliance rule set is a living document and just because it is not mentioned in the set does not mean it cannot be applied as due diligence.

The more threats we have the more controls will be added to the compliance requirements. It is very important to know what, where and who has the data and infrastructure that is being used by an organization. Without the right understanding of this it is difficult to implement controls to enforce compliance. For e.g. clouds is a new concept but how about collocations? This is not a new concept but we have successfully implemented compliance in collocations. If we request information on who have entered the location we will not be given access to all the information that is available but just the information that is applicable to the requesting organization is what is provided but there are alternative controls or compensating controls on whether you own the cage and if you can trace and audit entry to the cage by everyone. Trace and audit capabilities is what it comes down to at the end of the day in compliance and it does not really matter whether an organization is in the cloud or in its own data center, as long as all due diligence is administered and every transaction & action can be traced and audited to the satisfaction of the auditors (means enough auditable proof) and to protect the customers from being impacted the organization will be compliant.