PCI-DSS COMPLIANCE ON THE CLOUD

1,112 views
946 views

Published on

PCI-DSS COMPLIANCE ON THE CLOUD : How to outsource payment data storage on the cloud

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,112
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This is a pretty self explanatory slide that defines PCI DSS and provides motivations for why PCI is here
  • Here is an example article that follows that model. The link is: http://searchcloudcomputing.techtarget.com/tip/Is-PCI-compliance-attainable-in-a-public-cloud
  • Source: standard CSA slide
  • http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
  • http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
  • http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/Q: Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.Will AWS cooperate with forensic investigations if required?Yes. AWS is classified as a shared hosting provider and as specified in DSS requirement A.1.4 has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) as required to perform forensic investigations. AWS also meets all breach notification requirements as applicable to AWS.PCI basis:“For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance:They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments. See the bullet beginning “For managed service provider (MSP) reviews,” in Item 3, “Details about Reviewed Environment,” in the “Instructions and Content for Report on Compliance” section, below, for more information. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data. Refer to Requirement 12.8 in this document for details.
  • PCI SSC virtualization guidance:“In addition to the challenges of defining scope and assigning responsibilities across a shared infrastructure, the inherent characteristics of many cloud environments present additional barriers to achieving PCI DSS compliance. Some of these characteristics include:  The distributed architectures of cloud environments add layers of technology and complexity to the environment.  Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” “In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.As with all hosted services in scope for PCI DSS, the hosted entity should request sufficient assurance from their cloud provider that the scope of the provider’s PCI DSS review is sufficient, and that all controls relevant to the hosted entity’s environment have been assessed and determined to be PCI DSS compliant. The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer’s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ―in place‖ and ―not in place‖; and confirmation of when the assessment was conducted.Any aspects of the cloud-based service not covered by the cloud provider’s PCI DSS review should be identified and documented in a written agreement. The hosted entity should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity’s responsibility to manage and assess.”
  • PCI-DSS COMPLIANCE ON THE CLOUD

    1. 1. PCI-DSS COMPLIANCE ON THE CLOUD HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD : E-COMMERCE & M-COMMERCE @halloussi Par M. EL ALLOUSSI Dubai, December 2013
    2. 2. Summary 1. 2. 3. 4. Cloud Computing : Definitions e-commerce/m-commerce: An overview The Payment Card Industry Data Security Standard (PCI DSS) PCI DSS on Cloud: New challenges
    3. 3. Cloud Computing : Definitions
    4. 4. Definition of Cloud Computing (NIST) A service which:  Maintains a pool of hardware resources to maximize service, minimize cost  Resource efficiency permits hardware refresh, migration of customer workloads
    5. 5. 5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
    6. 6. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
    7. 7. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
    8. 8. e-commerce/m-commerce: An overview
    9. 9. Definition of e-commerce/mcommerce  E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
    10. 10. Type of e-Commerce     Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer. Business to Business (B2B): this is where the seller and the buyer are both a business organization. Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer. Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
    11. 11. Card payment: The stakeholders  Card holder: a person holding a payment card (the consumer in B2C).  Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).  Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.  Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.  Issuing bank: this entity issues the payment cards to the payment card holders.  Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
    12. 12. The Payment Card Industry Data Security Standard (PCI DSS)
    13. 13. Why is PCI Here? Criminals need money Where are the most cards? In computers. Some organizations still don’t care… especially if the loss is not theirs Credit cards = MONEY Data theft grows and reaches HUGE volume. PAYMENT CARD BRANDS ENFORCE DSS!
    14. 14. PCI DSS requirements Activities Describing the Requirements Build and maintain a secure 1. Install and maintain a firewall configuration to protect data; this network. includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability 5. Use and regularly update antivirus software. management program. 6. Develop and maintain secure systems and applications. Implement strong access 7. Restrict access to data by business on a needto-know basis. control measures. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test 10. Track and monitor all access to network resources and networks. cardholder data. 11. Regularly test security systems and processes. Maintain an Information 12. Maintain a policy that addresses information security. security policy.
    15. 15. EXAMPLE
    16. 16. PCI DSS on Cloud: New challenges
    17. 17. PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including:      The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is outsourcing to the CSP The services and system components that the CSP has validated within its own operations The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services)
    18. 18. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
    19. 19. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
    20. 20. CSA Cloud Controls Matrix Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
    21. 21. CSA Cloud Controls Matrix          The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as: ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum
    22. 22. CSA Cloud Controls Matrix Cloud Controls Matrix domains include:  Compliance  Data Governance  Facility Security  Human Resource Security  Information Security  Legal  Operations Management  Risk Management  Release Management  Resiliency  Security Architecture
    23. 23. 23 Example: Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ………………………
    24. 24. 24 Example: Requirement 12.8 “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.”
    25. 25. Example: Amazon/ Requirement 9 25 Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
    26. 26. 26 PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”
    27. 27. Questions? THANK YOU @halloussi fr.slideshare.net/alloussi

    ×