Organizations that handle cardholder data on the cloud must safeguard it against cybersecurity threats. With the help of the PCI cloud computing protections, your organization can mitigate the data security threats posed by operating in high-risk cloud environments. Read on to learn more about these protections and how they apply to your organization.
What are the PCI Cloud Computing Protections?
With more organizations using cloud-based computing solutions to handle day-to-day cardholder data (CHD) processing, there is a need for robust PCI cloud computing protections to keep this data safe in the long term. As a guide to these protections, this blog will cover:
- An overview of the PCI DSS framework
- Types of cloud environments in scope for the PCI DSS
- Breakdown of the PCI DSS cloud computing guidelines
When applying these PCI cloud computing protections, partnering with an experienced PCI compliance partner will help you streamline the safeguards you implement and ensure they remain up-to-date with industry standards.
Overview of the PCI DSS Framework
Compliance with the PCI DSS Requirements enables organizations to implement up-to-date, industry-recommended controls and secure the CHD they handle in the short and long term. Regardless of industry, any organization that processes CHD or sensitive authentication data (SAD) will optimize its data security with the help of the PCI DSS guidelines.
The PCI DSS comprises 12 Requirements, each addressing a unique aspect of data security pertaining to the processes involved in collecting, processing, storing, or disposing of CHD or SAD. And, for PCI cloud computing purposes, the applicable DSS Requirements are interspersed throughout the PCI DSS framework.
The most effective way to identify which of these requirements will likely apply to your organization’s data security needs is with guidance from a PCI compliance partner.
Before diving into the various PCI DSS cloud computing guidelines, let’s explore the types of cloud environments that may be in scope for and subject to the PCI DSS Requirements.
Types of Cloud Environments In-Scope for the PCI DSS
When handling card payments on the cloud, you must remain aware of the data security risks present in these environments. Many of these risks are constantly evolving, meaning a threat counteracted in a previous year could still resurface to exploit an unaddressed gap in your cloud cybersecurity infrastructure.
Whether your organization recently migrated to the cloud, has been cloud-based for a while, or operates both on the cloud and on-premise, it helps to know which cloud environments are in scope for the PCI DSS Requirements.
By definition, being in scope for the PCI DSS means your organization handles CHD or SAD, which exist within sensitive CHD environments (CDE). Any risks to the assets containing CDE could impact its sensitivity and comprise data integrity and availability.
However, assets without access to CDE are considered out of scope for the PCI DSS and may not be subject to the PCI cloud computing guidelines.
Defining which cloud environments are in or out of scope for the PCI DSS will guide control implementation across your cloud computing assets.
In general, cloud deployment models help distinguish between the various ways resources are distributed or owned by organizations that handle card payments.
These cloud deployment models include:
Public Cloud Model
A public cloud deployment model refers to any cloud computing services controlled by a cloud services provider but available to the public. This model may apply to cloud computing assets provided by academic institutions, businesses, or government entities. Considering their broader availability to the public, assets deployed under the public cloud model have fewer restrictions on which types of customers can access them.
Private Cloud Model
Unlike public cloud deployment models, private ones are restricted to single customers like their owners or other designated third parties. When using private cloud infrastructure to handle card payments, organizations tend to have more control over cloud privacy.
Community Cloud Model
A community cloud model is simply a private cloud infrastructure shared between several customers who collectively agree to own, manage, or operate assets on this infrastructure. In most cases, participation in a community cloud deployment model requires asset owners to agree on best practices and objectives for operating on the shared cloud environment.
Cloud computing customers may also choose to deploy one or more of the above models via a hybrid cloud infrastructure. Hybrid cloud deployment models also offer beneficial capabilities, such as portability and load-balancing, which provide options to alternate between models during cloud capacity peak times.
Common Cloud Service Categories
The PCI cloud computing requirements may also apply to certain services offered by cloud service providers to their customers. These cloud service categories may be deployed within a public, private, hybrid, or community cloud model.
Cloud service categories include:
- Software as a Service (SaaS) – With SaaS, organizations can handle card payments using a cloud service provider’s applications (e.g., web browsers or program interfaces).
- Platform as a Service (PaaS) – Using PaaS, organizations can deploy their applications on the cloud service provider’s infrastructure. Here, a provider may support a customer organization’s programming languages, libraries, or tools.
- Infrastructure as a Service (IaaS) – When using IaaS, organizations can leverage a service provider’s cloud computing resources to run their critical card payment processing systems and applications.
As with cloud deployment models, shared responsibility for data security is crucial to keeping sensitive PCI data safe during its collection, processing, storage, or disposal using cloud-based computing assets.
Cloud services providers and their customers must agree on best practices for securing data, applications, platforms, or infrastructure—regardless of the cloud model deployed. Certain cloud service categories might require more security optimization than others, especially for high-risk cloud environments.
With an understanding of the various types of cloud environments that may be in or out of scope for the PCI DSS, let’s dive into the PCI cloud computing requirements.
Breakdown of the PCI Compliance Cloud Computing Guidelines
Whether a given cloud service agreement is SaaS, PaaS, or IaaS, compliance with PCI cloud computing guidelines is required for every cloud service category within the scope of the PCI DSS. These guidelines are interspersed throughout the DSS, helping organizations effectively manage risks to cloud environments at each deployment stage.
Below, we’ll dive into some of the essential PCI DSS cloud computing guidelines:
Establish Network Security Controls for Cloud Networks
PCI DSS Requirement 1 mandates the establishment of secure systems and networks for handling CHD. Network security controls (NSCs) help control the flow of network traffic between data environments such that sensitive CDE remains protected from threats. When deployed across an IT network infrastructure, NSCs are typically configured at access points where traffic goes in and out of data environments. In a cloud environment, NSCs serve as segmenting controls, preventing potentially malicious traffic from coming close to CDE and threatening it.
It is crucial to ensure that all NSCs operating within cloud environments are clearly mapped out via a network diagram to account for all network patterns, whether trusted or untrusted.
Securely Manage Cloud System Components
Compliance with PCI DSS Requirement 2 involves securing system configurations across all components within the scope of the PCI DSS.
Users of cloud service categories must avoid using vendor default passwords and other such access controls to mitigate risks to sensitive cloud-based CHD environments. Additionally, all cloud computing assets should be secured using industry-standard security parameters.
Minimize Account Data Storage
Per DSS Requirement 3, organizations that handle card payments must minimize the storage or retention of CHD or SAD, except when required for strict business purposes.
If your organization retains either of these sensitive data on the cloud, you must:
- Establish a formal data retention policy specific to the cloud.
- Identify all locations where data is stored on the cloud.
- Limit cloud-based sensitive data storage to that required for business needs.
Likewise, you must ensure that any remote cloud-based access to sensitive CDE is restricted to users with access privileges. Establishing such controls minimizes security risks that may compromise primary account numbers (PAN) if a user attempts to relocate them from secured to unsecured cloud environments.
As your objectives, priorities, and business needs change, you will likely need to re-examine the robustness of the cloud data retention policy.
Safeguard Public-Facing Applications From Threats
If your organization handles CHD on the cloud via public-facing web applications, PCI DSS Requirement 6 mandates implementing adequate protections for these applications.
In most cases, cloud-based applications with exploitable web application vulnerabilities are at high risk of being targeted by threats originating from the Internet. To identify vulnerabilities early on before they can develop into threats, your organization must conduct annual web application vulnerability assessments. Installing web application firewalls and other cloud-based network traffic controls can also help mitigate the risks to public-facing applications.
Manage Access to Cloud System Components
Per DSS Requirement 7, all user accounts must be reviewed at least once every six months to ensure existing account privileges align with your organization’s security policy. Whether you handle CHD and SAD in-house or outsource third-party cloud infrastructure, it is crucial to verify who can access sensitive data environments on the cloud.
Conducting ongoing, periodic reviews of access rights and privileges will help you identify:
- Excessive delegation of access privileges
- Unusual changes in system functions
- Delays in terminating access rights
Additionally, all access privileges to sensitive cloud-based data environments must operate via the principle of least privilege, limiting access to these environments to only authorized users with strict business needs.
Implement Industry-Standard Access Controls to Cloud Environments
When implementing industry-standard access controls to prevent unauthorized access to cloud environments containing CHD and SAD, PCI DSS Requirement 8 mandates the use of approaches like multifactor authentication (MFA).
MFA increases the authentication factors required to access sensitive cloud environments, reducing the chances of cybercriminals bypassing single access controls like passwords.
And, if MFA is deployed to secure remote access to these cloud environments, it can be applied at the primary CDE access point but not all available access points (e.g., systems, networks, applications).
Test Cloud Environments for Security Gaps and Vulnerabilities
To safeguard CDE on the cloud, organizations that handle CHD are required to conduct routine security testing to identify gaps and vulnerabilities that may pose risks to data integrity.
PCI DSS Requirement 11 mandates penetration testing as a screening technique to identify these vulnerabilities before they can be exploited by cybercriminals.
Penetration testing must be conducted:
- At least once every 12 months across cloud-based infrastructure
- In accordance with an organization-specific penetration testing methodology
- By a qualified internal security team or external third-party assessor who is independent of the organization being tested
As one of the best security testing tools, penetration testing will help safeguard your PCI cloud computing infrastructure from emerging threats, both short- and long-term.
Establish a Cloud Security Policy
Compliance with the PCI cloud computing requirements is also much easier when your organization establishes a cloud security policy based on the PCI DSS guidelines.
Requirement 12 mandates exercising security oversight with the help of these guidelines.
A PCI cloud security policy is especially helpful when defining which cloud assets are in or out of scope for DSS. As cloud technology changes, your organization must invest in the right tools and resources to safeguard the data collected, processed, stored, or transmitted over the cloud.
The most effective way to build a robust security policy and implement it at all levels of your organization and across assets—cloud or otherwise—is to work with a PCI compliance partner. And, remaining compliant with the PCI cloud computing requirements will provide you peace of mind when handling data on the cloud.
Secure Your PCI Data on the Cloud
Compliance with the PCI cloud computing requirements will help you keep data safe, even with growing cloud security threats. With the help of an experienced team of PCI compliance specialists, your organization will optimize its cloud security controls for all CHD and SAD environments. To learn more and get started, contact RSI Security today!