PCI DSS Compliance Cloud: How Merchants Can Store Payment Data
1. PCI-DSS COMPLIANCE ON THE
CLOUD
HOW TO OUTSOURCE PAYMENT
DATA STORAGE ON THE CLOUD :
E-COMMERCE & M-COMMERCE
@halloussi By Mr EL ALLOUSSI Dubai, December 2013
2. Summary
1. Cloud Computing : Definitions
2. e-commerce/m-commerce: An
overview
3. The Payment Card Industry Data
Security Standard (PCI DSS)
4. PCI DSS on Cloud: New challenges
4. Definition of Cloud Computing (NIST)
A service which:
Maintains a pool of hardware resources
to maximize service, minimize cost
Resource efficiency permits hardware
refresh, migration of customer workloads
6. 3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)
Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)
Rent processing, storage, network capacity, and other
fundamental computing resources
7. 4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
9. Definition of e-commerce/m-commerce
E-commerce or electronic commerce is
the buying and selling of products or
services via the web, Internet or other
computer networks. M-commerce or
mobile commerce is the buying of
products or services via a device like
Smartphone, PDA…etc.
10. Type of e-Commerce
Business to Consumer (B2C): this is where the
seller is a business organization and the buyer is
a consumer.
Business to Business (B2B): this is where the
seller and the buyer are both a business
organization.
Consumer to Consumer (C2C): this is where the
seller is a consumer and the buyer is a consumer.
Consumer to Business (C2B): this is where the
consumer can name a price they are willing to pay
for a requirement and business organizations can
decide whether to meet the requirement for the
price. As this is consumer driven and not seller
driven this becomes a C2B model.
11. Card payment: The
stakeholders
Card holder: a person holding a payment card (the consumer in B2C).
Merchant: the business organization selling the goods and services (The
merchant sets up a contract known as a merchant account with an
acquirer).
Service provider: this could be the merchant itself (Merchant service
provider (MSP)) or an independent sales organization providing some or
all of the payment services for the merchant.
Acquirer or acquiring bank: this connects to a card brand network for
payment processing and also has a contract for payment services with a
merchant.
Issuing bank: this entity issues the payment cards to the payment card
holders.
Card brand: this is a payment system (called association network) with
its own processors and acquirers (such as Visa, MasterCard or CMI card
in Morocco).
13. Why is PCI Here?
Criminals need
money
Where are the
most cards?
In computers.
Credit cards = MONEY
Data theft
grows and
reaches HUGE
volume.
Some
organizations still
don’t care…
especially if the
loss is not theirs
PAYMENT
CARD
BRANDS
ENFORCE
DSS!
14. PCI DSS requirements
Activities Describing the Requirements
Build and maintain a secure
network.
1. Install and maintain a firewall configuration to protect data; this
includes firewall on client.
2. Do not use vendor supplied defaults for system passwords and
other security parameters.
Protect cardholder data. 3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data and sensitive
information across open public networks.
Maintain a vulnerability
management program.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
Implement strong access
control measures.
7. Restrict access to data by business on a needto-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict access to cardholder data.
Regularly monitor and test
networks.
10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an Information
security policy.
12. Maintain a policy that addresses information security.
17. PCI DSS Cloud Computing
Guidelines (2013)
The responsibilities delineated between the client and the
Cloud Service Provider (CSP) for managing PCI DSS controls
are influenced by a number of variables, including:
The purpose for which the client is using the cloud service
The scope of PCI DSS requirements that the client is outsourcing to the
CSP
The services and system components that the CSP has validated within
its own operations
The service option that the client has selected to engage the CSP
(IaaS, PaaS or SaaS)
The scope of any additional services the CSP is providing to proactively
manage the client’s compliance (for example, additional managed
security services)
18. PCI DSS Cloud Computing
Guidelines (2013)
Define Responsibilities such as in the following example:
19. PCI DSS Cloud Computing
Guidelines (2013)
Define Responsibilities such as in the following example:
20. CSA Cloud Controls Matrix
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditors
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
21. CSA Cloud Controls Matrix
The Cloud Security Alliance Cloud Controls Matrix (CCM)
provides a controls framework in 13 domains aligned with
industry-accepted security standards, regulations, and
controls frameworks such as:
ISO 27001/27002
ISACA COBIT
PCI DSS
NIST
BITS
GAPP
HIPAA/HITECH
Jericho Forum
NERC CIP
23. Example: Requirement 12.8
Q: Does PCI DSS apply to merchants who use
payment gateways to process transactions on their
behalf, and thus never store, process or transmit
cardholder data?
A: PCI DSS requirements are applicable if a Primary
Account Number (PAN) is stored, processed, or
transmitted. If PAN is not stored, processed, or
transmitted, PCI DSS requirements do not apply.
….…………………. however ………………………
23
24. Example: Requirement 12.8
“If the merchant shares cardholder data with a … service
provider, the merchant must ensure that there is an
agreement with that …service provider that includes their
acknowledgement that the third party
processor/service provider is responsible for the
security of the cardholder data it possesses.
In lieu of a direct agreement, the merchant must obtain
evidence of the … provider's compliance with PCI
DSS via other means, such as via a letter of
attestation.”
24
25. Example: Amazon/
Requirement 9
Q: “Do QSAs for Level 1 merchants require a
physical walkthrough of a service provider’s
data center?
25
A: No. A merchant can obtain certification
without a physical walkthrough of a service
provider’s data center if the service provider is
a Level 1 validated service provider (such as
AWS). A merchant’s QSA can rely on the work
performed by our QSA, which included an
extensive review of the physical security of our
data centers.”
26. PCI SSC on Cloud Challenges
26
“The distributed architectures of cloud environments add layers of
technology and complexity to the environment.
Public cloud environments are designed to be public-facing, to allow
access into the environment from anywhere on the Internet.
The infrastructure is by nature dynamic, and boundaries between tenant
environments can be fluid.
The hosted entity has limited or no visibility into the underlying
infrastructure and related security controls.
The hosted entity has limited or no oversight or control over cardholder
data storage.
The hosted entity has no knowledge of ―who‖ they are sharing
resources with, or the potential risks their hosted neighbors may be
introducing to the host system, data stores, or other resources shared
across a multi-tenant environment”