Meeting the PCI DSS Compliance Guidelines

Cloud computing has the ability to offer organizations long-term IT savings, reductions in infrastructural costs and pay-for-service models. By moving IT services to the cloud, organizations are more geographically distributed than ever before and the pace of business gets faster every day. Online collaboration has become a business necessity—there is no other way for distributed teams to work as quickly and efficiently as business demands. With virtual, paperless environments becoming more common, simply locking the doors at night no longer protects merchants, banks, customers or the business they conduct.

This means that exploitation will change from systems to web. Due to these changes, today’s business needs demand that applications and data not only move across physical and international borders, but also to the cloud and accessible by third parties. This loss of control is significant for security teams that must not only keep data safe, but also comply with the necessary security standards, including the Payment Card Industry Data Security Standard (PCI DSS). The payment card industry (PCI) should recognize that the most effective way to protect customer data is to protect the networks from the point of purchase to the application servers in their networks.

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices and applications.

Compliance Challenges
Five compliance challenges organizations may encounter are:

1. The cloud is relatively new technology and may be misunderstood.
2. Clients may have limited visibility into the service provider’s infrastructure and the related security controls.
3. It can be challenging to verify who has access to cardholder data process, transmitted, or stored in the cloud environment.
4. Public cloud environments are usually designed to allow access from anywhere on the Internet.
5. Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts.

Meeting the Compliance Requirements
Shared hosting providers must protect each customer’s hosted environment and cardholder data. From 30 June 2015, these providers must meet specific, additional requirements that are set out in an appendix A of PCI DSS Version 3. Below are a few highlights:

• PCI DSS requires that hosting providers ensure that each customer only runs processes that have access to that entity’s cardholder data environment.
• Access and privileges must be restricted to each customer’s own cardholder data environment.
• If a customer (merchant or service provider) is allowed to run its own applications on a shared server, it should run with the user ID of the customer, rather than as a privileged user.
• Logging and audit trails must also be enabled, unique to each entity’s cardholder data environment and consistent with PCI DSS requirements.
• Logs should be available to each customer, specific to their cardholder data environment.
• Processes must also be available to provide timely forensic investigation in the event of any compromise of cardholder data or systems.
• Even though a hosting provider meets PCI DSS requirements, the compliance of the customer using the service is not guaranteed.
• Each entity will need to comply with PCI DSS and validate its own compliance as applicable.

PCI DSS compliance is mandatory for banks, merchants and providers that process, transmit or store cardholder data. The risk of noncompliance is substantial, including fines, potential security breaches and loss of business.

Any enterprise that falls with the scope of the standard must implement it and seek compliance. Merchants who fail to comply might be forced to pay an extra percentage for noncompliance. There are also fines for storing sensitive authentication data, which is not allowed under the standard. Penalties for data breaches in noncompliant companies can be severe, including large fines as well as the threat of future exclusion from the payment card network.

Adesanya Ahmed, CRISC, CGEIT, ACPA, ACMA
IT Security and Connectivity Consultant, Petrovice Resources International Ltd.
[email protected]

[ISACA]