If you are a business that collects credit card payments, you must support your business model with a foundation of effective payment security. Achieving PCI DSS compliance is essential in achieving the desired level of security and governance to protect your customers’ information.
We now live in a world where increasing amounts of your confidential business information reside in the cloud, which presents its own challenges when it comes to achieving PCI DSS compliance. Here are some key PCI DSS considerations that you can’t afford to lose sight of while you protect your clients’ data in the cloud.
The burden of maintaining payment card data security in the cloud doesn’t fall on just one party. In most deployments, it’s shared between the client organisation and their cloud service provider, or CSP, of choice.
PCI DSS guidelines apply to the software and hardware architectures that you use to store and utilise a cardholder’s data. They also govern the validation of your CSP’s infrastructure and the way you use the environments and tools it provides. For maximum efficacy, your PCI DSS controls must reflect the specifics of the cloud implementations that you apply them to.
The service-level agreement, or SLA, between you and your CSP will outline the specifics of what you can do with their cloud services. Its particulars must also guide your PCI DSS decision-making process.
Your SLA-specified deployment model impacts how much agency you have over PCI DSS and other security controls. Typical deployment infrastructures include:[1]
Your SLA also defines how you receive the software that you license. In most cases, your agreement will draw from the following commonplace service types:
Each cloud model inherently dictates who can institute specific security controls. Your responsibilities and those of your CSP will evolve and change with your deployment. The PCI Security Standards Council advises that businesses obtain SLAs that clearly lay out the compliance ground rules in advance.[2]
For instance, if you operate a private cloud deployment, then you’re going to be the only entity that can reliably provide for the security of your physical facility. If you decide to go the hybrid route by storing some data on your private cloud with the rest in a public cloud infrastructure, like Amazon AWS or Google Storage, you’ll have to leave hardware access controls and other physical security measures up to these vendors. Depending on the third-party service that you use, your CSP may also have to assume responsibility for maintaining a secure OS on the servers that host your applications.
Functional business systems incorporate many discrete layers. Cloud deployments commonly rely on third-party tools and software APIs in addition to distinct networking, storage and processing hardware. No matter what kinds of service options your CSP offers to help you stay compliant, your company’s future depends on your ability to implement exhaustive governance policies.
How can you create an effective, comprehensive PCI DSS governance strategy? Although your specific obligations will vary to match your SLA, service type and deployment model, you should also think about factors like:
The way you use card data will impact your responsibilities. If you store information for just enough time to complete a transaction, for example, you may get away with simple encryption and other practices.
Providing extra features might massively expand your obligations. Suppose that you also let your consumers save payment data for subsequent purchases. PCI experts recommend not storing, processing or transmitting card information in the cloud, so you’ll have to ensure that your internal systems are secure.
You’re not your CSP’s only client. Your providers must enforce separation between your data and other users’ information by employing some form of segmentation, such as isolated operating systems, servers or virtual machines.
Steps like installing physical firewalls, continuously logging traffic, using two-factor authentication and segmenting data stores as well as processing resources all commonly fall within the scope of CSP obligations. Nonetheless, you can still benefit from having an awareness of the steps that your CSP takes and using the knowledge to guide your own controls.
Validation and PCI DSS compliance go hand-in-hand. Before signing an SLA with any CSP, you need to ensure that the provider bears current validation from a payment card brand or independent processor.
Effective governance is a massive undertaking. The subtleties of different service and deployment models make it ill-advised to take a CSP at its word. It’s also impractical to manually verify that your provider’s security techniques are vulnerability-free.
Every merchant deployment is unique. Regardless whether you’re hosting everything in-house, using shopping cart software or just relying on a content management system to serve your product images more rapidly, it’s up to you to identify and eliminate security gaps.
If your business is looking to get PCI DSS compliant, StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.
[1] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
[2] https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf[3]