While cloud services can offer attractive opportunities for organizations of all sizes, organizations must be aware of a particular cloud choice’s risks and challenges before moving their sensitive data or services to the cloud.<\/p>\n\n\n\n
Perhaps the most significant point of confusion regarding the Payment Card Industry Data Security Standard (PCI DSS) and cloud computing is who is in charge of compliance. In addition to business and risk considerations, implementing security controls in a cloud environment requires special technical knowledge and skills.<\/p>\n\n\n\n
See Also: What is PCI DSS and PCI Compliance?<\/a><\/strong><\/p>\n\n\n\n As a result, before migrating payment card processing to the cloud, you can appoint technical, legal, due diligence, information security, and enforcement teams to collaborate and identify your needs, as well as determine potential cloud service services based on those needs.<\/p>\n\n\n\n Ensuring that cloud services are securely designed, maintained, and used is a responsibility shared between the cloud provider and the client. It is important to note that not all cloud services are created equal.<\/p>\n\n\n\n See Also: PCI DSS Requirements<\/a><\/strong><\/p>\n\n\n\n Clear policies and procedures must be agreed upon between Customer and Provider for all security requirements. Operations, management, and reporting responsibilities for each requirement should be clearly defined, understood, and settled in writing by contractual agreements.<\/p>\n\n\n\n Concerning third-party or public clouds, you should consider that while you can outsource the day-to-day operational management of your data environment, you will retain responsibility for the data you put in the cloud.<\/p>\n\n\n\n See Also: Cloud Security Checklist<\/strong><\/a><\/p>\n\n\n\n There are a few items to consider if your company wishes to move PCI DSS in-scope systems to the public cloud. Any organization wishing to migrate or evaluate cloud services should follow these steps:<\/p>\n\n\n\n Your cloud service provider should collaborate with you to fully comprehend your security and compliance requirements. Both parties should be willing to maintain open communication and monitoring to avoid any misunderstanding or gap in security responsibilities.<\/p>\n\n\n\n See Also: Best Practices for Cloud Security<\/a><\/strong><\/p>\n\n\n\n Suppose account data is stored, processed, or transmitted in a cloud environment. In that case, PCI DSS will apply to that environment, and compliance will generally include verification of both the Cloud Service Provider’s environment and the customer’s use of that environment.<\/p>\n\n\n\n Even if the cloud service provider can claim to be PCI DSS compliant, it must verify that all services and locations consumed are included in the PCI DSS compliance verification and that the services are used in a compatible manner.<\/p>\n\n\n\n See Also: What are the Security Impacts of Public Cloud?<\/a><\/strong><\/p>\n\n\n\n The allocation of responsibility for managing security controls between the customer and the provider does not exempt the customer from ensuring that applicable PCI DSS requirements adequately secure cardholder data (CHD). Customers must define which PCI DSS requirements will be shared between Customer, Provider, and any of their agents and confirm their suitability.<\/p>\n\n\n\n You must clearly understand the scope of responsibility the cloud service provider accepts for each PCI DSS requirement and which services and system components are validated for each requirement. The responsibilities defined between you and your cloud service provider for managing the PCI DSS controls are affected by the following variables:<\/p>\n\n\n\n It is essential to identify and define how security aspects are managed throughout the life cycle of the data used and produced in your environment. Explicit data retention, storage, and secure destruction criteria should be part of the engagement process for all forms of cloud services to ensure that sensitive data:<\/p>\n\n\n\n Ultimately, you will determine how and when cardholder data will be obtained in the cloud. You must document the end-to-end processes and data flows to clear where the cardholder data resides and how it traverses the infrastructure. The data streams will also help determine where you obtained cardholder data and where you left it throughout the process.<\/p>\n\n\n\n See Also: What is Security as a Service (SECaaS)<\/a><\/strong><\/p>\n\n\n\n According to the data classification, the management of the data will differ from organization to organization. A defined data classification system can help you identify your sensitive or confidential data.<\/p>\n\n\n\n In this way, you can assign appropriate protection mechanisms based on different data types’ security requirements and prevent accidental misuse or cruel treatment of sensitive data.<\/p>\n\n\n\n See Also: Cloud Security Compliance Standards and Control Frameworks<\/a><\/strong> <\/p>\n\n\n\n Data may also be available in Provider systems used for cloud infrastructure maintenance, such as VM images, backups, trace logs. Cardholder data stored in memory can also be written to disk for recovery or high availability.<\/p>\n\n\n\n Such stored data can be easily forgotten and therefore not protected by data security controls. All potential capture points should be identified and managed as necessary to prevent unwanted or unsafe storage or transmission of sensitive data.<\/p>\n\n\n\n Special tools and processes may be needed to find and manage data stored in archived, offline, or relocated images.<\/p>\n\n\n\n See Also: What are the Security Impacts of Private Cloud?<\/a><\/strong><\/p>\n\n\n\n Potential hypervisor access to data in memory should also be considered to ensure that defined access controls are not unintentionally bypassed by cloud service provider administrative personnel. Before moving this data to the cloud environment, the cloud service should be assured that specific data security needs can be met. Considerations should include how the data will be stored.<\/p>\n\n\n\n Types with different sensitivity levels in the same virtual environment can affect the protection required for each data type. Cardholder data, user credentials, passwords, and cryptographic keys are examples of sensitive data that need to be protected.<\/p>\n\n\n\n Only people with business needs should have access to data, and it should be used in accordance with the existing information security policy.<\/p>\n\n\n\n Verifying that all cardholder data is securely deleted by your data retention policy in a distributed cloud environment is subject to the same challenges described above. Destruction of cardholder data must be performed using secure methods by PCI DSS requirements. The process of destruction should ensure that the data is unrecoverable after the destruction is complete.<\/p>\n\n\n\n In addition to data disposal, resource decommissioning criteria must be established to support potential decisions to switch providers, retire cloud resources, or abandon the cloud entirely. The cloud service provider must provide data destruction mechanisms that ensure that all data is securely removed and deleted from the cloud environment.<\/p>\n\n\n\n The cloud provider must have clearly defined and documented procedures for termination of the service. You can choose to have all data encrypted with strong cryptography to reduce the risk of any leftover data left behind in provider systems.<\/p>\n\n\n\n However, you should be aware that leaving potentially unknown amounts of encrypted data on Provider systems after your agreement is terminated may be a violation of your data retention policies.<\/p>\n\n\n\n The main challenge in cloud environments is governance, risk, and compliance management, a responsibility that is often shared with your provider. Sharing in the security field is subject to rigorous scrutiny to clarify responsibility and accountability for carrying out specific control activities.<\/p>\n\n\n\n\n
\n
Understand Your PCI DSS Responsibilities<\/strong><\/h2>\n\n\n\n
\n
How Should Cloud Data Security be for PCI Compliance?<\/strong><\/h2>\n\n\n\n
\n
Governance, Risk and PCI Compliance in the Cloud<\/strong><\/h2>\n\n\n\n