This document discusses PCI compliance in the cloud. It begins by providing background on evolving payment landscapes and defining the cloud. It then outlines key PCI DSS requirements and how responsibility is shared between cloud providers and customers to ensure compliance. Requirements include firewalls, secure configurations, protecting stored data, logging and monitoring, and policies. The document recommends choosing a PCI certified cloud provider and confirms requirements are covered, with some remaining the customer's responsibility. It introduces a company called ControlCase that provides a compliant cloud platform and compliance services to help keep sensitive data secure in the cloud.

1. PCI Compliance in the Cloud
How to keep sensitive data secure
as you move to the cloud

2. Agenda
• About the Cloud
› Evolving Landscape
› What is the Cloud
› Key Compliance Differences
• About PCI DSS
• PCI DSS in the Cloud
2 / 32

3. About the Cloud

4. Evolving Payment Landscape
• Mobile Payments
• “Cloud Based” Payment Providers
• Point to Point Encryption
4 / 32

5. What is the Cloud
• Hosting Provider Private Cloud
› NCR
› IBM/ATT
› Rackspace
• Amazon Cloud
› EC2
• Internal Cloud
› Virtualization within internal datacenter
5 / 32

6. Key Compliance Differences
• Private vs. Public network
• Physical vs. Logical Access
• Known Physical Boundaries vs. Unknown
• Known Access vs. Unknown
6 / 32

7. PCI Compliance in the Cloud

8. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
8 / 32

9. How Does PCI DSS Apply to the Cloud?
9 / 32

10. It’s a Wild West Out There…
10 / 32

11. Our Topic: PCI Compliance in the Cloud
11 / 32

12. How Does the Compliant Cloud Work?
Minimum Requirements: (2) Servers, (1) “DMZ” and (1) Internal
12 / 32

13. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
13 / 32

14. Firewalls
• Cloud Provider
› Must provide ability for DMZ to be created in the cloud
environment; OR
› Must have multiple clouds for DMZ and internal network
• You (The customer)
› Must ensure DMZ has been implemented consistent with
PCI requirements
14 / 32

15. Configuration Standards
• Cloud provider
› Must prove that secure configurations are implemented
for the base platform hosting the VMs.
• You (the customer)
› Must ensure secure configuration exists within the cloud
images of the operating systems.
15 / 32

16. Protect Stored Cardholder Data
You must ensure stored data is encrypted and
protected.
16 / 32

17. Protect Cardholder Data in Transmission
You must ensure data being transmitted is
encrypted.
17 / 32

18. Antimalware
• Cloud provider
› Must prove that base platform/hypervisors have
appropriate antimalware measures
• You (the customer)
› You must ensure all cloud images of operating systems
have antimalware measures
18 / 32

19. Secure Applications
You must ensure all applications are developed
securely and without vulnerabilities.
19 / 32

20. Access Control and User IDs
• Cloud Provider
› Must prove that access control/user IDs have been
implemented for the base platform/hypervisor hosting the
VMs.
• You (the customer)
› Are responsible for access control within your cloud
images of your operating systems.
20 / 32

21. Physical Security
• Cloud provider
› The cloud provider must prove that physical security
controls are in place where the base platform hosting the
virtual machines is physically located.
• You (the customer)
› Must ensure you are hosting the cloud that has physical
security enabled.
21 / 32

22. Logging and Monitoring
• Cloud Provider
› Must prove that logging is appropriately implemented for
base platform/hypervisors hosting the VMs.
› Must prove that logging is appropriately implemented for
network and security devices within the environment.
• You (the customer)
› Are responsible for logging within the cloud images of the
operating systems.
22 / 32

23. Vulnerability Management
• Cloud Provider
› Must prove that vulnerabilities are assessed and removed
appropriately for the base platform/hypervisors hosting
the VMs.
› Must prove that vulnerabilities are assessed and removed
appropriately for network and security devices within the
environment
• You (the customer)
› Are responsible for assessing the internal, external and
application vulnerabilities within the cloud images of the
operating systems.
23 / 32

24. Policies and Procedures
• Cloud Provider
› Must prove that policies exist appropriately for the base
platform/hypervisors hosting the VMs.
• You (the customer)
› Must ensure that policies address the security aspects
specific to the applications being deployed in the VM.
24 / 32

25. PCI DSS Requirements
25 / 32
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security

26. Key Takeaways as you Make Cloud Decisions
• Ensure Cloud Provider is PCI DSS Certified
› Not in the context of them taking credit cards as a
merchant, rather as an infrastructure provider
• Ensure through report on compliance (RoC) or
service provider compliance matrix that all
requirements are covered in scope EXCEPT
› Requirement 3 (Encrypt cardholder data)
› Requirement 4 (Encrypt cardholder transmission)
› Requirement 6 (Application security)
26 / 32

27. ControlCase Compliant Cloud

28. How ControlCase Keeps You Compliant
28 / 32
Compliance
as a Service
(CaaS)

29. The ControlCase Compliant Cloud
29 / 32

30. Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly
growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› HITUST
› SOC1, SOC2, SOC3, SSAE16
› Certified ASV vendor
30 / 32

31. To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
31 / 32

32. Thank You for Your Time