SlideShare una empresa de Scribd logo

PCI DSS Compliance Cloud: How Merchants Can Store Payment Data

Descargar como PPTX, PDF
Hassan EL ALLOUSSI
Hassan EL ALLOUSSI
Tecnología
1 de 27
PCI-DSS COMPLIANCE ON THE CLOUD HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD : E-COMMERCE & M-COMMERCE @halloussi By Mr EL ALLOUSSI Dubai, December 2013
Summary 1. Cloud Computing : Definitions 2. e-commerce/m-commerce: An overview 3. The Payment Card Industry Data Security Standard (PCI DSS) 4. PCI DSS on Cloud: New challenges
Cloud Computing : Definitions
Definition of Cloud Computing (NIST) A service which:  Maintains a pool of hardware resources to maximize service, minimize cost  Resource efficiency permits hardware refresh, migration of customer workloads
5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling (Location independence) 4. Rapid elasticity 5. Measured service
3 Cloud Service Models 1. Cloud Software as a Service (SaaS) Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources
4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
e-commerce/m-commerce: An overview
Definition of e-commerce/m-commerce E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
Type of e-Commerce  Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer.  Business to Business (B2B): this is where the seller and the buyer are both a business organization.  Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer.  Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
Card payment: The stakeholders  Card holder: a person holding a payment card (the consumer in B2C).  Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).  Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.  Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.  Issuing bank: this entity issues the payment cards to the payment card holders.  Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
The Payment Card Industry Data Security Standard (PCI DSS)
Why is PCI Here? Criminals need money Where are the most cards? In computers. Credit cards = MONEY Data theft grows and reaches HUGE volume. Some organizations still don’t care… especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
PCI DSS requirements Activities Describing the Requirements Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data; this includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability management program. 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications. Implement strong access control measures. 7. Restrict access to data by business on a needto-know basis. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information security policy. 12. Maintain a policy that addresses information security.
EXAMPLE
PCI DSS on Cloud: New challenges
PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including: The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is outsourcing to the CSP The services and system components that the CSP has validated within its own operations The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services)
PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
CSA Cloud Controls Matrix Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
CSA Cloud Controls Matrix  The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as:  ISO 27001/27002  ISACA COBIT  PCI DSS  NIST  BITS  GAPP  HIPAA/HITECH  Jericho Forum NERC CIP
CSA Cloud Controls Matrix Cloud Controls Matrix domains include:  Compliance  Data Governance  Facility Security  Human Resource Security  Information Security  Legal  Operations Management  Risk Management  Release Management  Resiliency  Security Architecture
Example: Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ……………………… 23
Example: Requirement 12.8 “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.” 24
Example: Amazon/ Requirement 9 Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? 25 A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
PCI SSC on Cloud Challenges 26 “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”
Questions? THANK YOU @halloussi fr.slideshare.net/alloussi

Recomendados

PCI-DSS COMPLIANCE ON THE CLOUD
PCI-DSS COMPLIANCE ON THE CLOUDPCI-DSS COMPLIANCE ON THE CLOUD
PCI-DSS COMPLIANCE ON THE CLOUDHassan EL ALLOUSSI
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 

Recomendados

PCI-DSS COMPLIANCE ON THE CLOUD
PCI-DSS COMPLIANCE ON THE CLOUDPCI-DSS COMPLIANCE ON THE CLOUD
PCI-DSS COMPLIANCE ON THE CLOUDHassan EL ALLOUSSI
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Windstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud SecurityWindstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud SecurityJason Proctor
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Cloud computing
Cloud computing Cloud computing
Cloud computing cloudresearcher
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptxJoseLuna802663
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 

Más contenido relacionado

La actualidad más candente

Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Windstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud SecurityWindstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud SecurityJason Proctor
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 

La actualidad más candente (20)

Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Windstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud SecurityWindstream Hosted Solutions: Public Cloud Security
Windstream Hosted Solutions: Public Cloud Security
 
Pcidss
PcidssPcidss
Pcidss
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 

Similar a PCI DSS Compliance Cloud: How Merchants Can Store Payment Data

Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSGaurav "GP" Pal
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Amazon Web Services
 
Securing The Cloud
Securing The CloudSecuring The Cloud
Securing The Cloudgeorge.james
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security GovernanceBIJ MISHRA
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?Mohammad Mydul Islam
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standardsUlf Mattsson
 
A Novel Computing Paradigm for Data Protection in Cloud Computing
A Novel Computing Paradigm for Data Protection in Cloud ComputingA Novel Computing Paradigm for Data Protection in Cloud Computing
A Novel Computing Paradigm for Data Protection in Cloud ComputingIJMER
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Amazon Web Services
 
Building Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBuilding Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBoyan Dimitrov
 
A Breif On Cloud computing
A Breif On Cloud computingA Breif On Cloud computing
A Breif On Cloud computingRaja Raman
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 

Similar a PCI DSS Compliance Cloud: How Merchants Can Store Payment Data (20)

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
 
Securing The Cloud
Securing The CloudSecuring The Cloud
Securing The Cloud
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
A Novel Computing Paradigm for Data Protection in Cloud Computing
A Novel Computing Paradigm for Data Protection in Cloud ComputingA Novel Computing Paradigm for Data Protection in Cloud Computing
A Novel Computing Paradigm for Data Protection in Cloud Computing
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
 
Building Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBuilding Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWS
 
A Breif On Cloud computing
A Breif On Cloud computingA Breif On Cloud computing
A Breif On Cloud computing
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance Info
 

Más de Hassan EL ALLOUSSI

Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Hassan EL ALLOUSSI
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Hassan EL ALLOUSSI
 
Introduction à la certification itil foundation
Introduction à la certification itil foundationIntroduction à la certification itil foundation
Introduction à la certification itil foundationHassan EL ALLOUSSI
 
Pmp : management des parties prenantes
Pmp : management des parties prenantesPmp : management des parties prenantes
Pmp : management des parties prenantesHassan EL ALLOUSSI
 
Evaluation financiere de projet
Evaluation financiere de projetEvaluation financiere de projet
Evaluation financiere de projetHassan EL ALLOUSSI
 
Introduction à la conduite de projet
Introduction à la conduite de projetIntroduction à la conduite de projet
Introduction à la conduite de projetHassan EL ALLOUSSI
 

Más de Hassan EL ALLOUSSI (7)

Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...
 
Sécurité dans le cloud
Sécurité dans le cloudSécurité dans le cloud
Sécurité dans le cloud
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
 
Introduction à la certification itil foundation
Introduction à la certification itil foundationIntroduction à la certification itil foundation
Introduction à la certification itil foundation
 
Pmp : management des parties prenantes
Pmp : management des parties prenantesPmp : management des parties prenantes
Pmp : management des parties prenantes
 
Evaluation financiere de projet
Evaluation financiere de projetEvaluation financiere de projet
Evaluation financiere de projet
 
Introduction à la conduite de projet
Introduction à la conduite de projetIntroduction à la conduite de projet
Introduction à la conduite de projet
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

PCI DSS Compliance Cloud: How Merchants Can Store Payment Data

  • 1. PCI-DSS COMPLIANCE ON THE CLOUD HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD : E-COMMERCE & M-COMMERCE @halloussi By Mr EL ALLOUSSI Dubai, December 2013
  • 2. Summary 1. Cloud Computing : Definitions 2. e-commerce/m-commerce: An overview 3. The Payment Card Industry Data Security Standard (PCI DSS) 4. PCI DSS on Cloud: New challenges
  • 3. Cloud Computing : Definitions
  • 4. Definition of Cloud Computing (NIST) A service which:  Maintains a pool of hardware resources to maximize service, minimize cost  Resource efficiency permits hardware refresh, migration of customer workloads
  • 5. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling (Location independence) 4. Rapid elasticity 5. Measured service
  • 6. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources
  • 7. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
  • 9. Definition of e-commerce/m-commerce E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
  • 10. Type of e-Commerce  Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer.  Business to Business (B2B): this is where the seller and the buyer are both a business organization.  Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer.  Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
  • 11. Card payment: The stakeholders  Card holder: a person holding a payment card (the consumer in B2C).  Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).  Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.  Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.  Issuing bank: this entity issues the payment cards to the payment card holders.  Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
  • 12. The Payment Card Industry Data Security Standard (PCI DSS)
  • 13. Why is PCI Here? Criminals need money Where are the most cards? In computers. Credit cards = MONEY Data theft grows and reaches HUGE volume. Some organizations still don’t care… especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
  • 14. PCI DSS requirements Activities Describing the Requirements Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data; this includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability management program. 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications. Implement strong access control measures. 7. Restrict access to data by business on a needto-know basis. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information security policy. 12. Maintain a policy that addresses information security.
  • 16. PCI DSS on Cloud: New challenges
  • 17. PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including: The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is outsourcing to the CSP The services and system components that the CSP has validated within its own operations The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services)
  • 18. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
  • 19. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
  • 20. CSA Cloud Controls Matrix Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
  • 21. CSA Cloud Controls Matrix  The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as:  ISO 27001/27002  ISACA COBIT  PCI DSS  NIST  BITS  GAPP  HIPAA/HITECH  Jericho Forum NERC CIP
  • 22. CSA Cloud Controls Matrix Cloud Controls Matrix domains include:  Compliance  Data Governance  Facility Security  Human Resource Security  Information Security  Legal  Operations Management  Risk Management  Release Management  Resiliency  Security Architecture
  • 23. Example: Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ……………………… 23
  • 24. Example: Requirement 12.8 “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.” 24
  • 25. Example: Amazon/ Requirement 9 Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? 25 A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
  • 26. PCI SSC on Cloud Challenges 26 “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”
  • 27. Questions? THANK YOU @halloussi fr.slideshare.net/alloussi