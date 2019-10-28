The Payment Card Industry Security Standards Council (PCI SSC) woke up to the onset of cloud last year and released its long awaited ‘Information Supplement: PCI SSC Cloud Computing Guidelines.

The reason? To help organizations align their IT with business processes from the beginning; avoiding such rip up and start again scenarios.

However, as with all such regulatory documents, there are still some elements of confusion.

Much of this comes from organizations not taking the time to take a deep dive into the guidance offered and adopting advised best practices for cloud adoption.

While the guidelines are not a set of mandatory rules, they highlight some of the issues surrounding where compliance falls when it comes to cloud. And outlines considerations that need to be made for maintaining security controls in cloud environments.

The cloud is a different beast to legacy on-premises…

But we are still primarily dealing with software here. Organizations must not lose sight of the fact that the same rules pretty much apply to the cloud environment as they do for more traditional computing environments.

Any applications that come into contact with a card holder’s data falls under the PCI-DSS and needs to be secured as such.

Technology is evolving, organizations need to be ready to update their compliance

We have seen technology change so much in more than a decade. And with the digital economy, these changes will keep coming down the pipe.

For this reason, it is crucial that organizations update their PCI DSS compliance in relation to new emerging technologies.

Such technology includes; the Internet of Things (IoT), containerization, desktop virtualization and hypervisor introspection, which helps to detect data breaches early and protect sensitive data from being exposed.

But most importantly, organizations must first realize that it isn’t a case of migrating to cloud and shoring up security to address PCI DSS compliance. It isn’t quite that simple.

Cloud models have very different roles and responsibilities

In hybrid cloud, for example, the cloud provider role may be assigned to both internal IT and external partners; depending on which part of the overall cloud infrastructure they are looking after.

Dedicated private clouds, however, might be provisioned off-premises by third-party providers.

You would be surprised how many organizations do not ask where their data is being stored in the cloud. A case of out of sight, out of mind. This is even more worrying considering that this data might include personal data and should meet GDPR (at least for EU). A case of out of sight, out of mind.

It is paramount that cloud users understand their roles, responsibilities, and that of their cloud services providers, when it comes to protecting their data.

This includes carefully assessing risk if sensitive card data could potentially be stored in multiple locations.

PCI DSS challenges in the cloud

While cloud brings a large number of opportunities to organizations looking to outsource and use centrally managed data storage and security resources, it also has its challenges. This is exacerbated by the fact that clouds come in many flavors, which makes for a complex landscape.

Organizations may not have insight or control over where cardholder data is stored

For example, due to high availability reasons, data could be stored in a number of disparate locations. If not outlined and fully documented from the beginning it can be difficult to collect, correlate and archive data logs required to meet PCI DSS compliance.

Not all services offered up by cloud providers may be incorporated into their PCI DSS compliance validation. For example, they might not provide the correct reports for an organization’s compliance audits.

It is key that organizations take these challenges into account when they run Cloud PCI DSS assessments; in working out how individual requirements are validated and who will be responsible for which activities.

Essentially, do not skip on scoping your cloud project when it comes to meeting governance.

What does PCI DSS compliant really mean?

It is important to note that just because you are using a PCI DSS compliant cloud provider it does not mean that you automatically get PCI DSS compliance passed on to you.

This isn’t as bewildering as it sounds. It is a straightforward case of the organization checking with the cloud provider to make sure the cloud provider is PCI DSS compliant and the services being adopted by the organizations are covered in the cloud provider’s PCI DSS compliance validation.

It is also essential to check it meets the organization’s own individual PCI DSS compliance.

The organization is still responsible for ensuring the cardholders details are met alongside the PCI DSS controls. Unfortunately, this is forgotten from agendas, which ultimately causes major problems later.

This is not a ‘do once and leave task’ either. It is important that organizations carry out the relevant due diligence with service contracts, SLAs and so forth to make sure they maintain PCI compliant status.

NTT

Delivering on compliance – a real life example

As part of its preparation for the annual audit, a large travel company wanted to move its credit card processing application to a separate Cardholder Data Environment (CDE) on-premises. With the aim to optimize application control and security while enhancing the user experience.

Due to seasonal travel plans, the company only had a short window of six months to get the PCI DSS audit ready and its CDE in-house, which required application re-working.

To achieve this and meet the company’s PCI DSS Level 1 audit:

We set up a PCI DSS compliant private hosted cloud solution in one of our secure data centers in the UK.

We also installed the IT programs crucial for its re-designed credit card processing application to run. This ensured the travel company could meet its deadline of moving and testing the application to the new PCI DSS compliant infrastructure prior to the audit.

At the same time, integrating the redesigned credit card processing application with its existing IT infrastructure means that the application’s capabilities are optimized, while retaining a familiar interface for users.

We delivered this complex re-designed solution to the customer deadline. This demonstrates how our skills as a PCI hosting and management provider helped a company translate the PCI DSS rules swiftly and accurately and pass the audit.

The devil is in the details

We cannot emphasize the importance of careful planning here enough.

Before moving all payment data to the cloud, organizations need to make certain they have their PCI DSS compliance carefully mapped out beforehand.

When it comes to current and emerging technologies, you must acknowledge that it is a continuous process and a shared responsibility with your selected cloud services provider.

By providing a clear definition from the onset, you should have few, if any bumps in your PCI DSS journey to the cloud.

Collaborating with a managed service provider that has PCI DSS compliance, helps path the way to governance in the minefield that is hybrid cloud.

There is help at hand

About the author

Daniel Toledo: CISO and GRC Director at NTT

Having started his career back in 2005 as an IT engineer in Venezuela, Daniel quickly moved into the area of security, specializing in PCI. Having joined NTT seven years ago, he now spearheads the Information Security Office in our Barcelona HQ office and is directly responsible for NTT achieving and maintaining the essential ISO certifications (as well as SOC 2, PCI, LOPD, and GDPR). He describes his role as; “Providing a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.”