PCI Compliance in the CloudHow to keep sensitive data secureas you move to the cloud
Agenda
• About the Cloud
› Evolving Landscape
› What is the Cloud
› Key Compliance Differences
• About PCI DSS
• PCI DSS in the Cloud
2 / 32
About the Cloud
Evolving Payment Landscape
• Mobile Payments
• “Cloud Based” Payment Providers
• Point to Point Encryption
4 / 32
What is the Cloud
• Hosting Provider Private Cloud› NCR› IBM/ATT› Rackspace
• Amazon Cloud› EC2
• Internal Cloud› Virtualization within internal datacenter
5 / 32
Key Compliance Differences
• Private vs. Public network
• Physical vs. Logical Access
• Known Physical Boundaries vs. Unknown
• Known Access vs. Unknown
6 / 32
PCI Compliance in the Cloud
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
8 / 32
How Does PCI DSS Apply to the Cloud?
9 / 32
It’s a Wild West Out There…
10 / 32
Our Topic: PCI Compliance in the Cloud
11 / 32
How Does the Compliant Cloud Work?
Minimum Requirements: (2) Servers, (1) “DMZ” and (1) Internal
12 / 32
PCI DSS RequirementsControl Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
13 / 32
Requirement 1: Firewalls
• Cloud Provider› Must provide ability for DMZ to be created in the cloud
environment; OR› Must have multiple clouds for DMZ and internal network
• You (The customer)› Must ensure DMZ has been implemented consistent with
PCI requirements
14 / 32
Requirement 2: Configuration Standards
• Cloud provider› Must prove that secure configurations are implemented
for the base platform hosting the VMs.
• You (the customer)› Must ensure secure configuration exists within the cloud
images of the operating systems.
15 / 32
Requirement 3: Protect Stored Cardholder Data
You must ensure stored data is encrypted and protected.
16 / 32
Requirement 4: Protect Cardholder Data in Transmission
You must ensure data being transmitted is encrypted.
17 / 32
Requirement 5: Antimalware
• Cloud provider› Must prove that base platform/hypervisors have
appropriate antimalware measures
• You (the customer)› You must ensure all cloud images of operating systems
have antimalware measures
18 / 32
Requirement 6: Secure Applications
You must ensure all applications are developed securely and without vulnerabilities.
19 / 32
Requirements 7 & 8: Access Control and User IDs
• Cloud Provider› Must prove that access control/user IDs have been
implemented for the base platform/hypervisor hosting the VMs.
• You (the customer)› Are responsible for access control within your cloud
images of your operating systems.
20 / 32
Requirement 9: Physical Security
• Cloud provider› The cloud provider must prove that physical security
controls are in place where the base platform hosting the virtual machines is physically located.
• You (the customer)› Must ensure you are hosting the cloud that has physical
security enabled.
21 / 32
Requirement 10: Logging and Monitoring
• Cloud Provider› Must prove that logging is appropriately implemented for
base platform/hypervisors hosting the VMs.› Must prove that logging is appropriately implemented for
network and security devices within the environment.
• You (the customer)› Are responsible for logging within the cloud images of the
operating systems.
22 / 32
Requirement 11: Vulnerability Management
• Cloud Provider› Must prove that vulnerabilities are assessed and removed
appropriately for the base platform/hypervisors hosting the VMs.
› Must prove that vulnerabilities are assessed and removed appropriately for network and security devices within the environment
• You (the customer)› Are responsible for assessing the internal, external and
application vulnerabilities within the cloud images of the operating systems.
23 / 32
Requirement 12: Policies and Procedures
• Cloud Provider› Must prove that policies exist appropriately for the base
platform/hypervisors hosting the VMs.
• You (the customer)› Must ensure that policies address the security aspects
specific to the applications being deployed in the VM.
24 / 32
PCI DSS Requirements
25 / 32
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Key Takeaways as you Make Cloud Decisions
• Ensure Cloud Provider is PCI DSS Certified› Not in the context of them taking credit cards as a
merchant, rather as an infrastructure provider
• Ensure through report on compliance (RoC) or service provider compliance matrix that all requirements are covered in scope EXCEPT› Requirement 3 (Encrypt cardholder data)› Requirement 4 (Encrypt cardholder transmission)› Requirement 6 (Application security)
26 / 32
ControlCase Compliant Cloud
How ControlCase Keeps You Compliant
28 / 32
Complianceas a Service
(CaaS)
The ControlCase Compliant Cloud
29 / 32
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› HITUST
› SOC1, SOC2, SOC3, SSAE16
› Certified ASV vendor
30 / 32
To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
31 / 32
Thank You for Your Time