What is PCI Compliance in the Cloud?
PCI-DSS (the Payment Card Industry Data Security Standard) is a set of security requirements designed and enforced by major credit card brands. The standards apply to anyone who stores or processes cardholder data.
It is commonly believed that a PCI-DSS certification means the organization has already evaluated their environment for the relevant security measures and is not required to implement further security measures.
However, a PCI-DSS certification alone is not enough to ensure the environment is secure. Certified service providers should inform their customers exactly how they comply with PCI-DSS, and clearly define the steps all parties must take to comply with PCI requirements.
In this article, you will learn:
- Challenges in Cloud PCI Compliance
- Key PCI Compliance Requirements in the Cloud
- Requirement 1: Firewall
- Requirement 2: Avoid Vendor-Supplied Defaults
- Requirement 3: Protect Stored Cardholder Data
- Requirement 4: Encrypting Cardholder Data in Transit
- Requirement 5: Antivirus
- Requirement 6: Secure Systems and Applications
- (We have deliberately omitted requirements 7-9 because they are not directly relevant to cloud hosting services)
- Requirement 10: Monitor Access to Network and Data
- Requirement 11: Regular Security Testing and File Integrity Monitoring
Challenges in Cloud PCI Compliance
The path to PCI-DSS compliance is complex, but any company that handles the storage, processing or transfer of cardholder data must address it. In addition, compliance with all 12 PCI-DSS requirements and over 100 security controls is a daunting responsibility for IT teams.
In large organizations with a substantial volume of cardholder data, such as banks, retail chains, and e-commerce companies, it is very difficult to fully comply with PCI-DSS. This is because the PCI standard needs to be addressed at every level, from the underlying infrastructure to the operating system to the network. The distributed architecture of cloud environments makes this much more complex to achieve.
The public cloud is designed to allow resources to be accessed from anywhere on the internet. Therefore, special control measures are required to compensate for the inherent risks and reduced visibility of these environments. This makes it difficult to operate public cloud services in a PCI-compliant manner.
Cloud providers are responsible for providing a PCI-DSS compliance certificate, and customers should only accept that certificate after reviewing evidence that proper controls are in place. Cloud providers must provide their hosting customers with:
- Documentation showing their PCI-DSS assessment and when it took place
- What was or was not included in their assessment
- Details of PCI-DSS security controls that are in place or not in place
Key PCI Compliance Requirements in the Cloud
PCI-DSS has 12 requirements. Here are the most important requirements that are relevant for a cloud environment, and what you should consider when using a cloud service for processing or storage of cardholder data.
Requirement 1: Firewall
PCI requires a firewall to protect cardholder data. In a local environment, this can be achieved by deploying firewall devices for each network. In the cloud, you should use the cloud provider’s capabilities. Ensure security configuration is documented and can be demonstrated to auditors.
Requirement 2: Avoid Vendor-Supplied Defaults
PCI requires changing default passwords and security settings for any IT system in the protected environment. In the cloud, you need to access all cloud resources and manually check if the defaults are still configured. A more practical approach is to use an automated tool to validate cloud misconfigurations and security vulnerabilities, like cloud security posture management (CSPM).
Requirement 3: Protect Stored Cardholder Data
PCI-compliant hosting providers help you protect cardholder data, and some providers offer fully managed security. Still, it is up to you to properly configure the security tools they provide. Assess your future and current providers to ensure they supply you with the necessary tooling.
Key management is an important consideration. Managed hosting providers ensure that data encryption keys (DEK) and key-encryption keys (KEK) are managed securely according to PCI requirements.
Requirement 4: Encrypting Cardholder Data in Transit
When you transmit cardholder data using public networks, you need to use secure communication channels. Preferably, with strong encryption protocols allowed by PCI-DSS such as TLS 1.2, SFTP, or IPSec.
Requirement 5: Antivirus
In a local environment, the common approach is to deploy an antivirus or endpoint protection agent on each computer. In the cloud, you have the same requirement—to deploy an antivirus agent on each cloud resource to prevent it from being infected by malware. Modern and endpoint protection tools support deployment on cloud resources.
Requirement 6: Secure Systems and Applications
This PCI requirement applies differently to different types of cloud services:
- When using a managed service, the cloud user does not have any responsibilities in ensuring that the provider’s systems are secure.
- When using cloud services in an IaaS or PaaS model, the organization using the services needs to test for vulnerabilities in its systems, apply security updates, perform change management, and adopt secure development practices.
PCI-DSS requires manual or automatic verification of all code developed for public web applications. An alternative to code verification is to implement a web application firewall (WAF), which can be used as a cloud service or deployed as standalone software on cloud resources.
(We have deliberately omitted requirements 7-9 because they are not directly relevant to cloud hosting services)
Requirement 10: Monitor Access to Network and Data
On-premises, tracking, and monitoring access to cardholder data is achieved by “sniffing” network traffic and recording network logs. In the cloud, use the cloud provider’s monitoring platform or third party tools to check relevant event streams and resource logs.
Requirement 11: Regular Security Testing and File Integrity Monitoring (FIM)
In a local environment, this requirement can be addressed by vulnerability scanning tools, which commonly include an FIM agent. In the cloud, check what security testing tools are offered by the cloud provider, and if they are insufficient, deploy a third-party tool that supports the relevant cloud services.
PCI Compliance in the Cloud with Atlantic
Contracting with Atlantic.Net for PCI-DSS-compliant web hosting gives you peace of mind that your provider knows what they’re doing. Atlantic.Net is SOC 2, SOC 3, HIPAA audited, and PCI ready and provides customers in the eCommerce industry with the hardened, secure, and compliant infrastructure they need.