A Guide to PCI Compliance in the Cloud
In an age where hosting infrastructure in a cloud environment becomes more and more attractive – whether for maintenance, price, availability, or scalability – several service providers offer different PCI-DSS (Payment Card Industry – Data Security Standard) compliant solutions for their customers’ need to deal with payment cards.
Many companies believe that when choosing a business partner already certified in PCI-DSS, no further action is required since this environment has already been evaluated. However, while a PCI-DSS compliant provider brings more security and reliability, only its certification is not enough for the contractor’s environment to be certified as well.
All certified service providers must offer their customers an array of services and responsibilities, where they clearly define what each party needs to do to achieve PCI compliance in the environment.
With this in mind, there are some important tips to take into account, mainly focusing on the first six PCI-DSS requirements, and also some important information for cloud service providers to take into account.
Requirement 1: Install and maintain a firewall configuration to protect the cardholder data
To protect cardholder data, you must implement and configure environmental targeting in accordance with PCI network requirements. It should be analyzed with tools the service provider offers to enable the contractor to achieve compliance. Some important services to consider:
- Network Groups: A tool that will be used to perform the logical segmentation of the cloud-hosted environment. Traditionally, communications are blocked, and rules must be created to release access between instances.
- Private Cloud: Should be used to isolate the provider’s networks in private networks, preventing the connection and access of other networks except those duly authorized by the targeting tool created in the same private cloud. This configuration facilitates the segmentation and logical management of accesses, reducing the exposure of the environment and card data.
- Elastic Computing: It allows the creation of an instance that is scalable, that is, after it is identified that the processing reaches a parameter pre-defined by the user, creates another instance identical to the first. This process repeats itself as there is a need for more processing power. With the reduction of processing, the instances are then deactivated.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
In the case of SaaS (Software as a Service) cloud services, the need to apply secure configuration controls rests with the provider, assuming that the service provider identifies the service as part of its environment accordingly.
Using PaaS (Platform as a Service) or IaaS (Infrastructure as a Service), when the configuration of the instance is made by the contracted company, it is very important to create the procedure of hardening to be used and to ensure that it is properly applied in the instance before creating the rules that grant access to the other environments.
Requirement 3: Protect stored data from cardholder
Secure storage of card data is one of the priorities of the standard. Natively, cloud environments do not protect data, so the company acquiring the service must identify how it can make the data secure during the process, as well as assess whether the provider provides the necessary tools.
For card data encryption, key management is another crucial point, as important encryption of the data itself. The documentation and secure management of the data encryption keys (DEK) and key-encryption key (KEK) must be done by the contractor and can use the resources offered by the providers.
Requirement 4: Encrypt the cardholder data transmission on open public networks
The implementation of secure communication channels must be planned by the contractor, either through the acquisition of a secure communication service or even through the implementation of communication certificates. Always use robust PCI-DSS-based encryption protocols, such as TLS 1.2, IPSec, SFTP, etc.
Requirement 5: Use and regularly update anti-virus software or programs
Another common mistake is to consider that the implementation of antivirus is the responsibility of the service provider, or even believe that their systems are not susceptible to malicious software.
Cloud services do not include the provision of this type of software by default in all scenarios. This means that those seeking PCI-DSS certification need to identify how to implement and define the use of an antivirus solution, ensuring its installation, management, logging, and monitoring.
Requirement 6: Develop and maintain secure systems and applications
By confirming the certified service offered by the cloud provider (Saas) in the responsibility matrix, the contracting company does not need to take any additional actions related to the management of the structure that maintains that environment.
In the case of a certified service offered by the cloud provider, the contracting company confirming this in the contractor’s responsibilities matrix does not need to take any additional actions related to the management of the structure that maintains that environment.
However, when acquiring IaaS or PaaS services, it is important to enable vulnerability identification procedures, security updates, change management, and secure development.
Speaking specifically of public-facing web applications, PCI-DSS requires the manual or automated validation of all code developed for the application. A recommended alternative is the implementation of a Web Application Firewall (WAF), which can also be used as a service acquired from the marketplace of these companies or as an application to be contracted (e.g. AWS WAF, Azure WAF, Google Virtual Web Application Firewall).