PCI, HIPAA, FedRAMP: Cloud Compliance

“The Cloud” – it is a phenomenon that has become one of the hottest buzzwords in technology over the past few years. There are myriad benefits to using cloud computing including easier file backup and storage, the ability to access information from anywhere in the world, and the power to harness the cloud to create Anything-as-a-Service (XaaS) solutions for almost anything conceivable.

Organizations around the world stand to greatly benefit from cloud computing especially as it offers an unmatched combination of price and reliability. Hospitals, for instance, can use cloud computing to drastically reduce costs as well as to improve patient care. Online video retailers are able to reduce costs by taking advantage of the greater business scalability afforded by cloud computing to adapt to spikes in demand. The possibilities are truly endless.

One of the main draws of cloud computing is its potential to reduce costs in almost any field by outsourcing computing resources to a third party provider. These great benefits, however, do not come without inherent drawbacks. Among others, regulatory compliance is one of the larger issues facing users of cloud computing. While cloud computing may simplify many tasks, ensuring regulatory compliance by default is not one of them.

Compared to physically hosting machines and data on-site, where a company typically has full control over what is stored, how it is stored, and where it is stored, an organization that uses a third party cloud computing provider does not have such control.  This can create potential problems from a regulatory compliance standpoint. The Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) are two of the most widely discussed and implemented regulations that come into play in cloud computing. Another slightly different angle is brought in by the recent Federal Risk and Authorization Management Program (FedRAMP) authorization requirements.



The PCI DSS is a set of regulations that is responsible for ensuring that companies are handling users’ credit card data in a secure and responsible manner. There are 12 sections in PCI that must be complied with; these requirements can be tricky to meet on their own, but throwing cloud computing into the mix creates an even more difficult situation. It might be easy to assume that a cloud company that claims to be PCI compliant is capable of handling credit card data and that your company can simply switch to their cloud and be done with PCI compliance. Unfortunately, not all cloud providers are equal in terms of their level of PCI compliance. A cloud provider that claims they are PCI compliant may indeed be just that, but they can specify what portion of its service or product is to be tested for PCI compliance, which could potentially leave your company short-changed if you do not possess all the relevant information. A point to consider is that a cloud provider is simply providing a platform, and it is equally important to investigate their processes as well as the platform they provide. The servers and hardware that the provider uses will not necessarily be PCI compliant, but it is necessary for PCI compliance to ensure that the provider is implementing the proper safeguards, segregation of duties, and patching among other things. Proper logical segmentation is extremely important considering that physical segregation in a cloud environment is a tricky issue.

In addition to verifying that the cloud provider is PCI compliant, you also need to ensure that PCI compliance is being met at your end as well. This includes, but is not limited to, company security policies, employee awareness training, and system testing. Customer credit card information must be protected throughout the entire purchasing process, from point of sale all the way through the cloud and back.



Every company that works with protected healthcare information (PHI) must follow the rules in place under HIPAA. These are strict rules split into three different sections (administrative, physical, and technical) that are set in place in order to protect patient privacy. These rules mainly pertain to how medical information is collected, handled, protected, used, and disclosed. As in the case with PCI DSS, the burden for HIPAA compliance falls on both you and the cloud computing provider. HIPAA requirements can prove to be even more difficult to comply with in a cloud environment. According to HIPAA, you need to ensure that you have the ability to know exactly where PHI data is being physically stored, how many copies have been made and whether or not the data has been modified. When housing the data yourself this standard is easier to accomplish; however, in a cloud environment this can be more complicated, as you do not have control over or access to cloud hardware. One way around this is to separate your private and non-private data and to only use cloud computing with non-PHI data. Another potential issue with using a cloud computing provider with HIPAA data is guaranteeing that PHI data has been completely eliminated upon request. In a virtualized cloud environment this may not always be feasible, as data and virtual servers are moved around regularly and you may not always be sure that the data has been fully wiped as opposed to deleted, where only the index of the file is eliminated. If making the move to a cloud computing environment, it is very important to discuss how and where data is stored (and if you will have the ability to ascertain this information at any given time), how the data is deleted, and also how the data is encrypted while in transit throughout the network and at rest (another HIPAA requirement).

In all cases, it is not sufficient to rest on the fact that a cloud provider claims to be compliant. It is imperative that a discussion takes place where you are able to obtain details about which portions of the vendor’s services have been tested and deemed compliant. It would be helpful to create a checklist of all requirements and to have your potential service provider dictate which of these requirements are managed by them, which are managed by you, and which are co-managed. Confirm that you fully understand which aspects are maintained by the service provider and what you still need to do in order to be fully compliant. In some cases it may be helpful to discuss this with a third party organization that regularly deals with compliance in order to get an objective opinion on the matter. If a company claims that they can provide a 100% compliant solution, you’re advised to take that with a dose of skepticism and a desire to further investigate based on your organization’s specific compliance requirements. In addition, keep in mind that a fully compliant solution that is managed by both you and your provider does not necessarily guarantee total security. The main goal should be to focus on attaining a comfortable level of security, which results in compliance as a by-product. Protecting your customers should always be the main consideration in any third party service agreement, especially when dealing with cloud computing.



The new NIST-based FedRAMP authorization is needed for any cloud service provider that intends to provide cloud computing services to Federal government agencies. While this is a requirement from the cloud service provider itself, it might be a good idea for the private sector to look at FedRAMP with a keen eye because it includes a comprehensive control check. Cloud service providers themselves too need to seriously consider preparing along the lines of FedRAMP.

FedRAMP is not a certification by design; it is an authorization to operate. So, effectively, if as a cloud service provider you were to prepare your cloud computing infrastructure along the lines of the FedRAMP requirements, you’re not only compliant with the requirements laid down by NIST and the requirements of FedRAMP itself, you’re quite likely to have covered other information security compliance requirements as well that your customers may come to expect of you. It’s also critical to note that having a FedRAMP compliant infrastructure could enable you to sell cloud computing services to all Federal agencies and serve as a seal of trust and approval for private sector customers as well.


Compliance In The Cloud

The cloud brings with it fresh and lucrative opportunities that businesses the world over can greatly benefit from. However, we do live in a regulated world with strict compliance requirements. Organizations that can find the fine balance between cloud computing and compliance could propel themselves into a new territory of growth and ride the wave in the cloud.


How ERMProtect can Help

As one of the original PCI QSA firms, we are experts at payment card compliance, IT security and data protection. We leverage our 24+ years of experience to secure your payment data, protect your business and manage costs and risk. To speak with a PCI expert on our team please call (800) 259-9660 or click here to schedule a free demo.


ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

log management

How A Log Management Assessment Can Prepare Your Organization for a Cyber Attack

This article delves into the significance of log analysis in a forensic readiness assessment and outlines best practices for organizations to optimize their log management strategies …
Business Impact Assessments

Importance of Business Impact Assessments

In the event of a data breach, Business Impact Assessments will help your organization prioritize recovery steps and get back to business faster …
cybersecurity incident response

How to Choose the Right Tabletop Scenario for Incident Response Testing

To effectively combat these threats, organizations must invest in robust cybersecurity incident response strategies …