PCI Compliance for Cloud Applications

Transcription

1 What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage of credit card data in the rapidly evolving threat landscape. Who Should Care Any business entity, in any industry sector, involved in the processing, storage, and transmission of credit card transactions or cardholder data. If your business is in one way or another accepting, receiving, processing, transmitting, storing or issuing credit card data on your behalf or on behalf of other entities, or if you are subcontracting these activities to other entities, then you are responsible for complying with the standards. Why Comply The Contractual Angle PCIDSS is not a regulation, such as HIPAA, FISMA or NERC, nor is it a guideline such as Council on CyberSecurity Top 20 or OWASP; but a contractual obligation associated with financial penalties in case of non-compliance and breaches. Complying with the standard allows organizations to minimize, or even nullify, these penalties - especially important since they grow proportionally with the number of cards compromised. 1

2 The Trust Factor More than just a contractual obligation, PCI DSS is vehicle to implement security best practices. Complying with PCI DSS demonstrates an adequate level of protection of the customer s data. Additionally, PCI DSS is increasingly being used as a minimum bar to demonstrate that proper security controls are in place with key business partners and external stakeholders. Finally, PCI compliance can help instill trust in your organizations ability to protect their customers sensitive information. What is Required PCIDSS encompasses 12 core security requirements covering various aspects of network, system, and application security and data protection while in transit and at rest. The only exceptions are business disaster recovery and business continuity that are of no interest for PCI as these areas are unrelated to credit card fraud. The 12 Requirements Topic covered Install and maintain a firewall configuration to protect cardholder data Network security (Firewall/DMZ/Router) Do not use vendor-supplied defaults for system passwords and other security parameters Secure configuration and hardening of servers Protect stored cardholder data Data at rest protection (Encryption, retention, destruction) Encrypt transmission of cardholder data across open, public networks Data in transit (Encryption) Protect all systems against malware Anti-malware Develop and maintain secure systems Patch management, secure coding and development 2

3 The 12 Requirements Topic covered Restrict access to cardholder data by business need to know Access restriction/ assignment process (Need-to-know, least privileges) Identify and authenticate access to system components Access control and access management Restrict physical access to cardholder data Physical security Track and monitor all access to network resources and cardholder data Logging and monitoring Regularly test security systems and processes Wireless security, vulnerability scans, penetration tests, Change detections (File integrity) Maintain an Information Security Policy Policies, procedures, organizations, risk analysis Organizations must comply with the requirements pertaining to their merchant type. This merchant type indicates how the organization collects, handles and processes card data. Each merchant type is associated to a self-assessment questionnaire (SAQ). You can find out more with your acquiring bank. Validating Compliance Compliance validation should be an annual process, and its methods defined by the organization level - determined by the number of transactions or cards received, processed, stored or transmitted on an annual basis and for each card brand. 3

4 According to their level, organizations are subjected to annual audits by qualified assessors or annual self-assessment questionnaire (SAQ). Additionally, service providers must undergo an annual on-site audit independently of the number of cards. Determining Scope Wherever there is a credit card, there is a component in scope. The PCI scope consists of all system components included in, or connected to, the Cardholder Data Environment (CDE). This CDE is defined as the people, processes and system components that store, process, handle or transmitcardholder data. If card data is stored and/or processed in a cloud environment, PCI DSS applies to that environment Responsibilities for PCI compliance are shared between the cloud provider and the client depending on the cloud service model (Iaas, Paas, Saas) 4

5 CloudLock Security Fabric Supports Your PCI Compliance in the Cloud Meeting internal or external compliance regulations can be a tremendous challenge for any IT organization using software as a Service (SaaS) applications. CloudLock provides the visibility and control you need to quickly detect and respond to risks of data that is sensitive, toxic, and/or subject to PCI DSS regulations, while confidently working in the cloud. CloudLock supports your compliance in the cloud with the following PCI requirements Requirement 3: Protect stored cardholder data PCI requires that storage and retention time of specific card data elements - cardholder s name, primary account number (PAN), expiration date and service code - be limited to what is required for legal, regulatory, and business requirements. Processes must be in place for identifying and securely deleting stored cardholder data that exceeds defined retention. Storage of other card data elements is forbidden: Full magnetic stripe, card verification code or value and PIN or PIN block. Identify and monitor in real-time PCI card data nested within your cloud apps. Enforce and enable strong encryption of documents containing card data. Notify and educate users to encrypt sensitive information based on policy violations of over shared or inappropriately stored data. 5

6 Requirement 4: Encrypt transmission of cardholder data across open, public networks This requirement addresses the protection of cardholder data during transmission over networks that are easily accessed by malicious individuals. In particular, it enforces the use of strong cryptography to safeguard sensitive cardholder data during transmission over open, public networks. Empower your end-users to selectively encrypt sensitive information as a service and securely share the encryption keys with authorized parties. Leverage industry best encryption and key management technology, using AES-256 password-based encryption. Requirement 6: Develop and maintain secure applications This requirement addresses necessary measures minimizing the risk of compromise of cardholder data by malicious individuals and malicious software. Discover and control more than 77,000 cloud and third-party apps that matter. Gain insight into which apps pose a risk to your organizations. Requirement 7: Restrict access to cardholder data by business need to know This requirements ensures that systems and processes are in place to limit access to cardholder data based on a need to know basis and according to job responsibilities. Enforce proper access controls for all relevant apps and data in the cloud. Provide ongoing verification and control of access rights. Protect your organization from malicious data extraction. 6

7 Requirement 10: Track and monitor all access to network resources and cardholder data This requirement addresses the need for auditing access to your cloud apps and associated data. Monitor user activity to detect and surface potential anomalies, including suspicious logins. Use audited data as evidence of compliance to regulations and internal policies. Feed time-sensitive and critical security events into your company-wide SIEM solutions for a consolidated security view. Gain real-time insight into the health of your public cloud applications in one unified dashboard. Leverage out-of-the box security and compliance reports to meet regulatory requirements with internal and external auditors. Requirement 11: Regularly test security systems and processes This requirement addresses in particular the deployment of change detection mechanisms. Detect, monitor and alert changes to your sensitive cloud data (e.g. documents including cardholder data) based on defined policies. Provide audit trail in the case that new processes are introduced and write PCI-related data to cloud application. Requirement 12: Maintain a policy that addresses information security for all personnel This requirement addresses the need for information security policies, the awareness of personnel of the sensitivity of data and their responsibilities for protecting it, as well as the establishment of security incident response procedures to ensure timely and effective handling of all situations. 7

8 1. Institute and enforce security policies Leverage centralized custom policies to identify data subject to risk, governance, and security violations across your public cloud applications. Use CloudLock s rich policy templates to safeguard your most critical assets. Specify content and context criteria to customize your policies. 2. Manage security incidents effectively Centrally manage all incidents based on unified policies. Investigate flagged content and potentially toxic data in files and documents. Easily view and filter incidents based on severity level, object type, cloud app, status, date, and other criteria. Prioritize and track incidents based on business impact to your organization. Create incident reports. Automate response actions and notifications to your end users with CloudLock s fully automated remediation management capabilities. Integrate CloudLock s incident management service with your own enterprise systems, e.g. IT support and SIEM solutions. 3. Increase end user awareness Notify and educate users to encrypt sensitive information based on policy violations of over shared or inappropriately stored data. Reference Materials: PCI DSS Computing Guidelines Read More 8

9 The Cloud Security Fabric CloudLock offers the cloud security fabric enabling enterprises to protect their data in the cloud, reduce risk, achieve compliance, manage threats, and increase productivity. Learn More By analyzing 750 million files for more than 6 million end users daily. CloudLock delivers the only complete, risk-appropriate, and people-centric approach to cloud security. [email protected] (781)