PCI-DSS COMPLIANCE ON THE 
CLOUD 
TO AN EFFICIENT TOOL FOR 
SECURING THE CARD DATA ON 
THE CLOUD: CLOUD CARD 
COMPLIANCE C...
12 PCI DSS requirements 
Activities Describing the Requirements 
Build and maintain a secure 
network. 
halloussi@gmail.co...
PCI DSS Cloud Computing 
Guidelines (2013) 
 The responsibilities delineated between the client and the 
Cloud Service Pr...
PCI DSS Cloud Computing 
Guidelines (2013) 
 Define Responsibilities such as in the following example: 
halloussi@gmail.c...
PCI DSS Cloud Computing 
Guidelines (2013) 
 Define Responsibilities such as in the following example: 
halloussi@gmail.c...
Challenges 
 Cloud environment need to be aligned with 
Card Payment Industry specifications 
 Need for tools for audito...
Checklist main domains 
halloussi@gmail.com 
Application and Interface Security 
Data security 
Network and transport secu...
Network Security: Infrastructure & 
Virtualization Security (example and 
ControleSpexcifitcartioan ct)PCI DSS Question Ex...
Data Security & Information Lifecycle 
Management: eCommerce Transactions 
(example and extract) 
Control Specification PC...
Application & Interface Security: 
Application Security (example and 
extract) Control Specification PCI DSS Question Expe...
Business Continuity Management & Operational Resilience: 
Datacenter Utilities / Environmental Conditions (example and 
ex...
Cloud PCI Checklist 
Very rich resources for Auditors and Card 
professionals 
A new norm for Cloud adopters for 
checking...
halloussi@gmail.com 
Dear auditors: 
Contact me for any more 
information about the exhaustive 
Checklist 
@halloussi 
fr....
Upcoming SlideShare
Loading in …5
×

Presentation: To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist

1,029 views

Published on

To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist (Extract of my presentation in LA, USA, March 2014)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Presentation: To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist

  1. 1. PCI-DSS COMPLIANCE ON THE CLOUD TO AN EFFICIENT TOOL FOR SECURING THE CARD DATA ON THE CLOUD: CLOUD CARD COMPLIANCE CHECKLIST @halloussi By Mr. EL ALLOUSSI LA, USA, March 2014
  2. 2. 12 PCI DSS requirements Activities Describing the Requirements Build and maintain a secure network. halloussi@gmail.com 1. Install and maintain a firewall configuration to protect data; this includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability management program. 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications. Implement strong access control measures. 7. Restrict access to data by business on a needto-know basis. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information security policy. 12. Maintain a policy that addresses information security.
  3. 3. PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including:  The purpose for which the client is using the cloud service  The scope of PCI DSS requirements that the client is outsourcing to the CSP  The services and system components that the CSP has validated within its own operations  The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS)  The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services) halloussi@gmail.com
  4. 4. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example: halloussi@gmail.com
  5. 5. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example: halloussi@gmail.com
  6. 6. Challenges  Cloud environment need to be aligned with Card Payment Industry specifications  Need for tools for auditors, IT professionals and Card Professional to verify the environment  Outsourcing Card Environment is possible by assuring the convenience and checking periodically  We develop an exhaustive Checklist as a tool halloussi@gmail.com for auditors
  7. 7. Checklist main domains halloussi@gmail.com Application and Interface Security Data security Network and transport security Business Continuity management
  8. 8. Network Security: Infrastructure & Virtualization Security (example and ControleSpexcifitcartioan ct)PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections, these configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, and ports, and compensating controls. Does a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks?  Examine diagram(s)  Observe network configurations Is the network diagram kept current?  Interview responsible personnel Does the diagram shows all cardholder data flows across systems and networks? Is the diagram kept current and updated as needed upon changes to the environment?  Examine data-flow diagram  Interview personnel Do firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components? Are roles and responsibilities are assigned as documented?  Interview personnel responsible for management of network components
  9. 9. Data Security & Information Lifecycle Management: eCommerce Transactions (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Data related to electronic commerce (e-commerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. Were Encryption keys changed from default at installation?  Interview responsible personnel  examine supporting documentation Are encryption keys changed anytime anyone with knowledge of the keys leaves the company or changes positions?  Interview responsible personnel  examine supporting documentation Are default passwords/passphrases on access points are not used?  Examine vendor documentation and login to wireless devices Is firmware on wireless devices updated to support strong encryption for authentication over wireless networks? Is firmware on wireless devices updated to support strong encryption for Transmission over wireless networks?  Examine vendor documentation  Observe wireless configuration settings Were other security-related wireless vendor defaults changed?  Examine vendor documentation  Observe wireless configuration settings
  10. 10. Application & Interface Security: Application Security (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Applications and programming interfaces (APIs) shall be designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations. 6.5.a : Are developers required training in secure coding techniques based on industry best practices and guidance?  Review policies and procedures for training  Interview personnel 6.5.b : Are developers knowledgeable in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory?  Interview personnel  Examine records of training Are processes to protect applications from the following vulnerabilities, in place? – Are injection flaws addressed by coding techniques (Modifying meaning of command and queries or utilizing parameterized queries)?  Review policies and procedures for software-development  Interview personnel – Are buffer overflows addressed by coding techniques (buffer boundaries and truncating input strings)?  Review policies and procedures for software-development  Interview personnel
  11. 11. Business Continuity Management & Operational Resilience: Datacenter Utilities / Environmental Conditions (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Targ et Date Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. Is there physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment? Is access controlled with badge readers or other devices including authorized badges and lock and key? Are they “locked” to prevent unauthorized use?  Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment Are video cameras and/or access control mechanisms in place to monitor the entry/exit points to sensitive areas? Are video cameras and/or access control mechanisms protected from tampering or disabling?
  12. 12. Cloud PCI Checklist Very rich resources for Auditors and Card professionals A new norm for Cloud adopters for checking environment before outsourcing Card Data halloussi@gmail.com 12
  13. 13. halloussi@gmail.com Dear auditors: Contact me for any more information about the exhaustive Checklist @halloussi fr.slideshare.net/alloussi

×