While cloud services can offer attractive opportunities for organizations of all sizes, organizations must be aware of a particular cloud choice’s risks and challenges before moving their sensitive data or services to the cloud.
Perhaps the most significant point of confusion regarding the Payment Card Industry Data Security Standard (PCI DSS) and cloud computing is who is in charge of compliance. In addition to business and risk considerations, implementing security controls in a cloud environment requires special technical knowledge and skills.
As a result, before migrating payment card processing to the cloud, you can appoint technical, legal, due diligence, information security, and enforcement teams to collaborate and identify your needs, as well as determine potential cloud service services based on those needs.
Ensuring that cloud services are securely designed, maintained, and used is a responsibility shared between the cloud provider and the client. It is important to note that not all cloud services are created equal.
Clear policies and procedures must be agreed upon between Customer and Provider for all security requirements. Operations, management, and reporting responsibilities for each requirement should be clearly defined, understood, and settled in writing by contractual agreements.
Concerning third-party or public clouds, you should consider that while you can outsource the day-to-day operational management of your data environment, you will retain responsibility for the data you put in the cloud.
There are a few items to consider if your company wishes to move PCI DSS in-scope systems to the public cloud. Any organization wishing to migrate or evaluate cloud services should follow these steps:
- First, understand your risk and security needs.
- Choose a cloud deployment model that suits the security and risk needs of you and your industry.
- Evaluate different cloud service options.
- Know what you want from your cloud service provider.
- Compare cloud service providers and service offerings.
- Ask your cloud service provider questions and verify answers.
- What exactly does each service consist of, and how is the service delivered?
- What does the service provide in security maintenance, PCI DSS compliance, segmentation, and assurance?
- What Are My Responsibilities?
- How will your cloud service provider provide ongoing evidence that security controls are still in place and kept up to date?
- What will your cloud service provider commit in writing?
- Do other parties participate in service delivery, security, or support?
- Document everything in written contracts with your cloud service provider.
- Service Level Agreements (SLAs)
- Terms of Service agreements
- Request written assurances that security controls will be in place.
- Periodically review the service and written agreements for any changes.
Your cloud service provider should collaborate with you to fully comprehend your security and compliance requirements. Both parties should be willing to maintain open communication and monitoring to avoid any misunderstanding or gap in security responsibilities.
Suppose account data is stored, processed, or transmitted in a cloud environment. In that case, PCI DSS will apply to that environment, and compliance will generally include verification of both the Cloud Service Provider’s environment and the customer’s use of that environment.
Even if the cloud service provider can claim to be PCI DSS compliant, it must verify that all services and locations consumed are included in the PCI DSS compliance verification and that the services are used in a compatible manner.
The allocation of responsibility for managing security controls between the customer and the provider does not exempt the customer from ensuring that applicable PCI DSS requirements adequately secure cardholder data (CHD). Customers must define which PCI DSS requirements will be shared between Customer, Provider, and any of their agents and confirm their suitability.
Understand Your PCI DSS Responsibilities
You must clearly understand the scope of responsibility the cloud service provider accepts for each PCI DSS requirement and which services and system components are validated for each requirement. The responsibilities defined between you and your cloud service provider for managing the PCI DSS controls are affected by the following variables:
- Your purpose of using the cloud service
- Scope of PCI DSS requirements of cloud services you outsource
- Services and system components approved by the cloud service provider within their operations
- Cloud service option of your choice (for example, IaaS, PaaS, or SaaS)
- Scope of additional services offered by the cloud service provider to proactively manage PCI compliance (for example, additionally managed security services)
How Should Cloud Data Security be for PCI Compliance?
It is essential to identify and define how security aspects are managed throughout the life cycle of the data used and produced in your environment. Explicit data retention, storage, and secure destruction criteria should be part of the engagement process for all forms of cloud services to ensure that sensitive data:
- Data should be kept as long as necessary.
- Data should not be held for any longer than is necessary.
- Data should be stored only in appropriate and secure locations.
- Only those who need business should have access to data.
- Data should be handled by your security policy.
Ultimately, you will determine how and when cardholder data will be obtained in the cloud. You must document the end-to-end processes and data flows to clear where the cardholder data resides and how it traverses the infrastructure. The data streams will also help determine where you obtained cardholder data and where you left it throughout the process.
According to the data classification, the management of the data will differ from organization to organization. A defined data classification system can help you identify your sensitive or confidential data.
In this way, you can assign appropriate protection mechanisms based on different data types’ security requirements and prevent accidental misuse or cruel treatment of sensitive data.
Data may also be available in Provider systems used for cloud infrastructure maintenance, such as VM images, backups, trace logs. Cardholder data stored in memory can also be written to disk for recovery or high availability.
Such stored data can be easily forgotten and therefore not protected by data security controls. All potential capture points should be identified and managed as necessary to prevent unwanted or unsafe storage or transmission of sensitive data.
Special tools and processes may be needed to find and manage data stored in archived, offline, or relocated images.
Potential hypervisor access to data in memory should also be considered to ensure that defined access controls are not unintentionally bypassed by cloud service provider administrative personnel. Before moving this data to the cloud environment, the cloud service should be assured that specific data security needs can be met. Considerations should include how the data will be stored.
Types with different sensitivity levels in the same virtual environment can affect the protection required for each data type. Cardholder data, user credentials, passwords, and cryptographic keys are examples of sensitive data that need to be protected.
Only people with business needs should have access to data, and it should be used in accordance with the existing information security policy.
Verifying that all cardholder data is securely deleted by your data retention policy in a distributed cloud environment is subject to the same challenges described above. Destruction of cardholder data must be performed using secure methods by PCI DSS requirements. The process of destruction should ensure that the data is unrecoverable after the destruction is complete.
In addition to data disposal, resource decommissioning criteria must be established to support potential decisions to switch providers, retire cloud resources, or abandon the cloud entirely. The cloud service provider must provide data destruction mechanisms that ensure that all data is securely removed and deleted from the cloud environment.
The cloud provider must have clearly defined and documented procedures for termination of the service. You can choose to have all data encrypted with strong cryptography to reduce the risk of any leftover data left behind in provider systems.
However, you should be aware that leaving potentially unknown amounts of encrypted data on Provider systems after your agreement is terminated may be a violation of your data retention policies.
Governance, Risk and PCI Compliance in the Cloud
The main challenge in cloud environments is governance, risk, and compliance management, a responsibility that is often shared with your provider. Sharing in the security field is subject to rigorous scrutiny to clarify responsibility and accountability for carrying out specific control activities.
Defining responsibilities highlights the importance of robust governance, risk management structure, and SLAs. Without a clear management strategy, you may not be aware of the problems arising from using the cloud service. The cloud provider may not be mindful of issues that may affect the provision of their services in their environment.
During PCI cloud scoping, it is imperative to include the security architecture’s internal and external interfaces and draw boundaries representing the cloud user and the provider’s governance domain.
A responsibility matrix would be an appropriate approach to defining the cloud’s governance strategy, especially when documented in the SLA. The responsibility matrix provides clarity of your responsibilities with your cloud provider for operational security and risk management.
Reporting and monitoring mechanisms must be provided to you by your cloud provider to ensure that effective governance is implemented and maintained by the cloud provider throughout the service.
Consistent with a risk management approach for internal services, outsourced cloud services should be evaluated against an organization’s risk strategy to identify critical assets, analyzing potential risks to those assets, and developing an appropriate risk processing plan.
In traditional environments, sensitive data’s physical location can be limited by specific systems and jurisdictions, making it easy to define and implement adequate risk mitigation controls.
However, the emergence of new technologies requires a reassessment of traditional risk strategies. For example, data in cloud environments is no longer tied to a physical system or location, reducing conventional security mechanisms’ effectiveness to protect data from risk. Traditional security approaches that establish security controls to protect sensitive data may need to evolve to address this emerging risk landscape.
A cloud provider that stores, processes, or transmits cardholder data or could otherwise affect CDE security will be deemed a third-party service provider. PCI DSS Requirement 12.8, as with all service providers, requires you to follow a thorough due diligence process before contacting the cloud provider.
The due diligence process and objectives will differ for each organization; however, common goals typically include:
- You must confirm that the cloud provider has a history of sound business practices and ethical behavior and performs services legitimately.
- You must understand the cloud provider’s operational responsibilities, such as incident response, encryption, and security monitoring.
- It would help verify that the cloud provider is compatible with your business image and risk profile.
- You must identify possible risks or situations in your relationship with the cloud provider that may affect your operations or business.
- Identify the service elements that need to be clarified and included in contracts or SLAs.
Adequate due diligence is not merely to read the cloud provider’s marketing material or to rely on the provider’s PCI compliance claims; it instead involves research, investigation, and evidence gathering.
Conducting a due diligence study before meeting with the cloud provider does not eliminate the need for constant monitoring and review of the cloud provider’s services.
Cloud Facilities and Physical Security for PCI Compliance
Cloud services include physical resources located in environments remotely accessed from the customer’s environment. Like other third-party providers, public and shared cloud providers provide services to multiple customers whose data and virtual components coexist in the exact physical location and are managed by the same physical systems like those of other customers.
For the cloud provider facility, physical security controls must be applied to protect their customers’ data. For PCI DSS certified cloud providers, AOC should include a list of all physical locations considered part of PCI DSS compliance verification.
In a private cloud, the physical location of all components is known and can be verified. When using a public cloud, different environmental elements, such as VMs, hypervisors, or virtual network devices, can be located in multiple locations according to the cloud provider’s provisioning strategy.
In an environment where data and infrastructure can be in multiple locations at different times, it can be challenging to verify proper physical security. Therefore, you should seek assurance from your cloud provider that PCI DSS physical security requirements are consistently applied in all potential locations.
PCI DSS Compliance in the Cloud: Strategies and Challenges
Physical servers located on a cloud provider’s platform are not certified by hardware manufacturers as PCI compliant, just like operating system vendors are not. The platform and software are used to serve as an environment where businesses can operate. However, it should be noted that the PCI certificate covers not only the material but also the process for a provider.
Therefore, although you cannot approve a hardware provider’s server, you can confirm that the provider using that server restricts access, separation of duties, and patches as required.
Certification of a provider is really about auditing their processes rather than their platform. However, how the customer handles himself and his transactions ultimately determine whether the company operates in the spirit of PCI DSS.
Organizations should also be aware that cloud providers are considering their responsibilities. The PCI Security Standards Council has tried to illustrate the separation of liability between consumers and cloud providers, but it differs by the provider.
To avoid making a costly error, consider the virtualization infrastructure to be beyond your power. However, one area where a cloud provider can help with PCI DSS is shared data across multiple entities.
Since physical isolation cannot be practiced in a virtual world, the cloud provider must demonstrate its logical segmentation effectiveness, especially as it relates to PCI.
The traditional technical controls studied to help organizations achieve a measurable level of compatibility in the cloud environment are relatively static environments and platforms.
Most of these tools were not developed to account for complexities like dynamic IP addressing servers, cloud boom, rapid deployment, and similarly rapid fragmentation of servers in cloud environments.
Auditing and evaluating distributed servers is another challenge presented by cloud environments.
When evaluating new tools for cloud architecture, don’t be afraid to reach out to your evaluators during your evaluation process. They should be able to advise on the tools you are looking at, in addition to any concerns they may have regarding their adherence to PCI DSS policies.
Similarly, talk to colleagues who have recently experienced the evaluation of cloud servers. You should be able to resolve the flaws in your colleagues’ compliance programs and tools as a result of these discussions and take the required measures to ensure that your company does not fall into the same pit.