As organizations collect ever-increasing amounts of their customers’ personal data, and data breaches become a daily occurrence, the regulatory landscape has become much more complicated. New regulations like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and many others have dramatically changed how organizations can collect, process and store customer data.
However, the concept of complying with data protection regulations is nothing new for many organizations. Retailers and other organizations that collect and process payment card data have been required to maintain Payment Card Industry Data Security Standard PCI DSS compliance for years now. In many ways, the new data protection regulations coming into effect in recent years have been an attempt to push other industry verticals to achieve the same minimum level of cybersecurity as the payment card industry.
However, while PCI DSS is not a new regulation, both the details of the regulation and the cybersecurity landscape are continually evolving. As new threat vectors are introduced and cybersecurity best practice evolves, the PCI Council revises the standard to reflect the current state of the art. As a result, organizations may need to revise or redesign their existing security controls to meet the changing requirements of the standard.
Organizations may also need to review and revise their security plans to maintain PCI DSS compliance as their network landscapes and attack surfaces change and evolve. As more and more organizations move to the cloud and payment card information is increasingly stored and processed there, the need to adapt existing security controls to achieve PCI DSS compliance in the cloud only grows.
The PCI Requirements
PCI DSS is designed to provide guidance to organizations that process payment card data on how to protect that data. The standard is composed of 12 high-level requirements that organizations must comply with, and each of these has additional sub-points under it. The twelve main requirements of PCI DSS are:
1.Install and maintain a firewall configuration to protect cardholder data.
2.Do not use vendor-supplied defaults for system passwords and other security parameters.Protect stored cardholder data.
3.Protect stored cardholder data.
4.Encrypt transmission of cardholder data across open, public networks.
5.Protect all systems against malware and regularly update anti-virus software or programs.
6.Develop and maintain secure systems and applications.
7.Restrict access to cardholder data by business need to know.
8.Identify and authenticate access to system components.
9.Restrict physical access to cardholder data.
10.Track and monitor all access to network resources and cardholder data.
11.Regularly test security systems and processes.
12.Maintain a policy that addresses information security for all personnel.
In general, the requirements of PCI DSS boil down to best practices for cyber hygiene. Many organizations will have most or all of these requirements fulfilled in their on-premises deployments. However, as organizations are increasingly moving infrastructure, data storage, and applications to the cloud, data protection strategies must be updated to reflect the differences between on-premises and the cloud.
Cloud Impacts on PCI Compliance
Moving to the cloud can be an excellent business decision for an organization. However, many businesses simply “lift” their existing on-premises deployments to the cloud without making any modifications to adapt to the new operating environment. As a result, organizations’ sensitive data may be exposed to attack and they may lose their status as a PCI compliant business.
The level of visibility and control that an organization has over their security infrastructure is very different in on-premises and cloud-based environments. In the cloud, an organization is sharing responsibility for security with their cloud services provider (CSP), and the CSP provides them with configuration controls and tools to manage their part of that job. However, many organizations do not understand the cloud shared responsibility model and the security implications of failing to properly secure their cloud deployment.
For example, one of the most common security mistakes on the cloud is misconfiguration of access controls. By default, most cloud deployments are set to “private”, meaning that users must be explicitly invited to access the content. However, numerous organizations have set security controls to “public” on their cloud deployments, which makes them accessible to anyone who knows the URL. Not only does this expose the data to possible breach, but it clearly violates Requirement 10 for PCI DSS compliance as the organizations no longer have visibility or control over access to their data. Cybercriminals like the Magecart group are known to actively scan the Internet for URLs of publicly accessible Amazon S3 data storage containing payment card information.
Achieving PCI DSS compliance in cloud deployments also requires choosing security solutions that are designed to operate in cloud environments. Traditional perimeter-based cybersecurity controls often do not work “out of the box” in a cloud environment since the cloud is not inside the organization’s network perimeter. In order to maintain compliance with the PCI regulations, organizations need to seek out and deploy solutions that are designed to function in cloud environments.
Achieving PCI Compliance in the Cloud
The cloud is a very different environment than traditional on-premises deployments. Organizations have greatly diminished visibility and control over their infrastructure in the cloud compared to in-house hardware. A failure to acknowledge this and adopt a cloud-specific cybersecurity strategy that acknowledges the need to configure vendor-provided security controls and to deploy security appliances that operate in cloud environments leave an organization open to attack and the loss of their PCI certification.