Email Security Intelligence - PCI DSS Compliance for Cloud Services - Everything You Should Know

PCI DSS Compliance is a global payment card data security standard designed to ensure secure payment card transactions and processing online. Organizations that deal with sensitive card data must ensure compliance with this standard for establishing a high level of security.

Although PCI DSS isn’t really a mandate or an obligation by the law, adhering to the standard is seen as the best payment card data security practice in the industry. Keeping in mind the evolving security threat landscape, the PCI Council updated the standard to PCI DSS 4.0. The latest standard now covers and supports other technologies including Cloud technology by introducing more flexibility into the security requirements. The PCI Council had already in the last version of PCI DSS 3.2.1 clearly stated that Cloud Security is a shared responsibility between the Cloud Service Provider and Merchants. Covering more about the PCI DSS Requirement and the Cloud Computing Services, we have elaborated on how the updated requirements impact Cloud Services. 

PCI DSS Compliance for Cloud Service Providers 

Understanding the requirements of PCI DSS can be confusing, especially for those who undergo the audit process for the first time. In fact, there is a common misconception concerning the applicability and responsibility of meeting the PCI DSS Requirement among Merchants and Service providers.  Both Merchants and Service Providers are often confused about who is responsible for what part of compliance. Some believe PCI DSS Compliance is for Merchants while some say it is the responsibility of the Cloud Service Providers. So, to set things clear, the PCI Council has clearly stated in its document that PCI DSS Compliance is a shared responsibility between both Merchants & Cloud Service Providers. They have clearly defined the security-related roles and responsibilities between both parties which are summarized in the table below. 

But before getting into the details of it, it is important to know that the roles and responsibilities are defined based on the different types of Cloud Service Models and depending on the level of control over the Cloud Infrastructure. However, the allocation of responsibility does not exempt any party from their responsibility to secure data as per PCI DSS requirements. 

Responsibilities to be shared based on the Cloud Model  

PCI DSS Requirements	Responsibility Assignment of Management of Controls
	IaaS	PaaS	SaaS
1 Install and maintain a firewall configuration to protect cardholder data	Both	Both	CSP
2 Do not use vendor-supplied defaults for system passwords and other security parameters	Both	Both	CSP
3. Protect stored cardholder data	Both	Both	CSP
4. Encrypt transmission of cardholder data across open, public networks	Client	Both	CSP
5. Use and regularly update anti-virus software or programs	Client	Both	CSP
6. Develop and maintain secure systems and applications	Both	Both	Both
7. Restrict access to cardholder data by businesses need to know	Both	Both	Both
8. Assign a unique ID to each person with computer access	Both	Both	Both
9. Restrict physical access to cardholder data	CSP	CSP	CSP
10. Track and monitor all access to network resources and cardholder data	Both	Both	CSP
11. Regularly test security systems and processes	Both	Both	CSP
12. Maintain a policy that addresses information security for all personnel	Both	Both	Both
PCI DSS Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers	CSP	CSP	CSP

PCI DSS Compliance Requirements specific to Cloud Services 

PCI DSS Compliance comprises 12 Requirements that both Merchants and Service Providers are expected to comply with. The PCI Council specifically in its latest version includes requirements for third-party service providers including Cloud Service Providers. Explaining the requirements in detail and what is expected from a cloud service provider, here are certain PCI Requirements for Cloud Service Providers.

Build and Maintain a Secure Network and Systems

PCI DSS was designed primarily to ensure secure payment systems and networks against unauthorized access by malicious individuals. The requirement is basically designed to ensure the protection of sensitive cardholder data and sensitive authentication data from any breach, or compromise.

Requirement 1: Install and Maintain Network Security Control 

Firewalls are essential elements of network security. It works as a front-end defense for protecting cardholder data. Deploying firewalls across all systems and networks within the card environment will ensure protection against unauthorized access from an untrusted source, filtering the traffic to the network. So, Cloud Service Providers are expected to implement adequate firewall configuration standards and secure data over public and private networks. 

Requirement 2: Apply Secure Configuration to All System Components 

The requirement clearly suggests not using vendor-supplied default system passwords which is a threat to the systems in the Cardholder Data Environment. Default passwords can be easily hacked and in most cases, they are even available online on public domains. Further, organizations are expected to implement measures with a practical approach and use advanced tools and software to check defaults configured and validate cloud security. This measure is essential to identify cloud misconfigurations, default settings, and other security vulnerabilities that could result in severe security impacts.

Protect Account Data

Protecting account data turns out to be a primary objective of PCI DSS. Merchants, Service Providers, or any other sub-service providers or third-party service providers dealing with cardholder data are expected to meet this requirement. So, even in the case where account data is stored by a Third-Party Service Provider (TPSP) which for instance could be a Cloud Service provider storing account data in a cloud environment, entities are responsible for working with their Service providers to understand how the TPSP is meeting the requirements. 

Requirement 3: Protect Stored Account Data

The protection of Stored Account Data is an essential requirement in PCI DSS.  Even the Cloud Service Providers are expected to meet the requirements in terms of implementing measures for protecting stored account data, maintaining minimum storage of account data, ensuring Sensitive Authentication Data (SAD) is not stored after authorization, securing PAN data when stored, implementing the Cryptographic method protect stored account data.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Cryptography is the best way for protecting stored cardholder data. The technique ensures confidentiality, integrity, and non-repudiation of cardholder data, especially when transmitted over open, public networks. The requirement outlines the need to implement strong cryptography techniques for all those who store, process, and transmit cardholder data online including Cloud Service Providers. Requirement 4 applies in the case of transmission of PAN data, wherein the PAN transmissions must be protected by encrypting it before it is transmitted. This process is essential to prevent hackers from intercepting and accessing card data sent over open networks. Implementing strong encryption protocols such as TLS 1.2, SFTP, or IPSec as per PCI DSS becomes a mandate as per requirements.

Maintain a Vulnerability Management Program 

Requirement 6: Develop and Maintain Secure Systems and Software 

The applicability of PCI DSS requirements differs based on the cloud services offered. So, in an IaaS and PaaS model, the merchants are required to verify with their Cloud Service Providers whether they are tested and detected for any vulnerabilities in systems and accordingly expected to implement necessary security updates and establish secure development practices. PCI DSS calls for the need to test all codes developed for public web applications, and further ensure the implementation of a strong Web Application Firewall (WAF) on all cloud platforms that deal with sensitive cardholder data.

Implement Strong Access Control Measures

Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know

PCI DSS Requirement 7 calls for restriction of access or limiting the access of cardholder data to only authorized personnel and third parties/vendors, based on their roles and responsibilities. This would include accessing critical cloud services involving the processing of sensitive cardholder data. For this, it requires Merchants and Service Providers to clearly define and document the roles and responsibilities. The requirement clearly states the need to establish a process and grant access based on a business need-to-know basis. This requirement basically applies to all user accounts and related access privileges, including those used by personnel and third parties/vendors, and accounts used to access third-party cloud services.

Requirement 8: Identify Users and Authenticate Access to System Components 

PCI DSS Requirement 8 outlines the need to assign unique IDs to every user and third-party Cloud Service Provider having access to the cardholder environment. This is to ensure that only authorized users have access to the critical data and perform related activities around it. Adhering to this requirement facilitates easy tracking and monitoring of activities in the environment concerning the cardholder data and also ensures accountability by the third-party service including Cloud Service Providers having access to the card data. 

Regularly Monitor and Test Networks 

Tracking, monitoring, and testing of networks are crucial to identify vulnerabilities in systems and networks connected with payment card applications. So, Merchants and Service Providers are expected to implement systems and processes that ensure regular monitoring and testing of networks to identify and remediate vulnerabilities. This can be achieved by adhering to the PCI DSS 4.0 Requirement 10 and Requirement 11 as mentioned below. 

Requirement 10: Log and Monitor All Access to System and Cardholder Data 

Merchants and Service Providers who are required to adhere to this requirement are expected to track and monitor access to network and cardholder data by maintaining a log. Tracking and maintaining logs is important for the detection of anomalies and suspicious activity, and the purpose of forensic analysis of events. This requirement applies to user activities, including those by employees, contractors, consultants, internal and external vendors, and other third parties like cloud service providers offering support or maintenance services. Logging mechanisms for tracking are critical for preventing, detecting, or minimizing the impact of a data compromise. 

Requirement 11: Test the Security of Systems and Networks Regularly 

Testing of systems isn’t just a necessity for Merchants but also a mandate for Service Providers, at all Wireless Access points. This is to identify, monitor, and address unauthorized access. Both Merchants and Service Providers are required to perform regular penetration tests to determine exploitable vulnerabilities, and security weaknesses in systems and networks and address them accordingly. Requirement 11 outlines the best practices and guidelines to meet this security mandate to safeguard both internal and external systems and networks. 

Understanding PCI DSS Responsibilities 

Merchants need to work in collaboration with their Cloud Service Providers and define the roles and responsibilities in terms of meeting the PCI DSS Requirements and protecting card data. However, the responsibilities between Merchants and the Cloud Service Provider are based on various factors like the type of cloud services available, and the applicability and scope of PCI DSS based on services and system components are critical factors to be considered. The roles and responsibilities need to be clearly defined to ensure both Merchants and Cloud Service Providers meet the requirements respectively without considering it to not be in their scope. 

PCI DSS Responsibilities for Different Cloud Service Categories

PCI DSS Requirements are shared responsibilities between Merchants and Service Providers. So, when we talk about third-party service providers like Cloud Service Providers, depending on the type of services they offer, the responsibilities may either be shared or defined as an individual party’s responsibility. In either scenario, it is still the Merchant's responsibility to verify whether the Cloud Service Providers meet the PCI DSS requirements based on the defined roles and responsibilities. 

At times the responsibilities may even overlap between both parties. So, the roles and responsibilities must be clearly defined in the contract between the Merchant and Cloud Service Provider. That said, it is ultimately still the Merchant's responsibility to ensure and validate that they and their Service Providers are compliant with the requirements of PCI DSS and the payment brand.

Final Thoughts

Understanding the key requirements and responsibilities is crucial for both Merchants and Service Providers. This is to ensure both parties meet all the PCI DSS Compliance requirements. For this, clearly defining roles and responsibilities in the contract is important.  Further, we also recommend Cloud Service Providers refer to the detailed guidelines and key considerations outlined in the document drafted by the PCI Council dated April 2018. The document will work as a guide for businesses to meet the requirements and ensure compliance.

Keep Learning

• Learn more about virus-proof security solutions.
• Learn more about the potential impact of a cyber-attack.
• Learn more about distributed spam attacks and email bombers.