SlideShare une entreprise Scribd logo

PCI-DSS COMPLIANCE ON THE CLOUD

Hassan EL ALLOUSSI
Hassan EL ALLOUSSI

PCI-DSS COMPLIANCE ON THE CLOUD : How to outsource payment data storage on the cloud

TechnologieBusinessÉconomie & finance
1  sur  27
PCI-DSS COMPLIANCE ON THE CLOUD HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD : E-COMMERCE & M-COMMERCE @halloussi Par M. EL ALLOUSSI Dubai, December 2013
Summary 1. 2. 3. 4. Cloud Computing : Definitions e-commerce/m-commerce: An overview The Payment Card Industry Data Security Standard (PCI DSS) PCI DSS on Cloud: New challenges
Cloud Computing : Definitions
Definition of Cloud Computing (NIST) A service which:  Maintains a pool of hardware resources to maximize service, minimize cost  Resource efficiency permits hardware refresh, migration of customer workloads
5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
e-commerce/m-commerce: An overview
Definition of e-commerce/mcommerce  E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
Type of e-Commerce     Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer. Business to Business (B2B): this is where the seller and the buyer are both a business organization. Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer. Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
Card payment: The stakeholders  Card holder: a person holding a payment card (the consumer in B2C).  Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).  Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.  Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.  Issuing bank: this entity issues the payment cards to the payment card holders.  Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
The Payment Card Industry Data Security Standard (PCI DSS)
Why is PCI Here? Criminals need money Where are the most cards? In computers. Some organizations still don’t care… especially if the loss is not theirs Credit cards = MONEY Data theft grows and reaches HUGE volume. PAYMENT CARD BRANDS ENFORCE DSS!
PCI DSS requirements Activities Describing the Requirements Build and maintain a secure 1. Install and maintain a firewall configuration to protect data; this network. includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability 5. Use and regularly update antivirus software. management program. 6. Develop and maintain secure systems and applications. Implement strong access 7. Restrict access to data by business on a needto-know basis. control measures. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test 10. Track and monitor all access to network resources and networks. cardholder data. 11. Regularly test security systems and processes. Maintain an Information 12. Maintain a policy that addresses information security. security policy.
EXAMPLE
PCI DSS on Cloud: New challenges
PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including:      The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is outsourcing to the CSP The services and system components that the CSP has validated within its own operations The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services)
PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
CSA Cloud Controls Matrix Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
CSA Cloud Controls Matrix          The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as: ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum
CSA Cloud Controls Matrix Cloud Controls Matrix domains include:  Compliance  Data Governance  Facility Security  Human Resource Security  Information Security  Legal  Operations Management  Risk Management  Release Management  Resiliency  Security Architecture
23 Example: Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ………………………
24 Example: Requirement 12.8 “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.”
Example: Amazon/ Requirement 9 25 Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
26 PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”
Questions? THANK YOU @halloussi fr.slideshare.net/alloussi

Recommandé

Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
Hassan EL ALLOUSSI
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
Cognizant
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311
h-bauer2014
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 

Recommandé

Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
Hassan EL ALLOUSSI
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
Cognizant
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311
h-bauer2014
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
TokenEx
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
TokenEx
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
TokenEx
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
cloudresearcher
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Securing The Cloud
Securing The CloudSecuring The Cloud
Securing The Cloud
george.james
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
Eryk Budi Pratama
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
Exploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareExploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in Healthcare
Ionixx Technologies Inc.
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
Editor IJCATR
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
David Ricketts
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
Ritambhara Agrawal
 
Veriphyr bright talk 20120523
Veriphyr bright talk 20120523Veriphyr bright talk 20120523
Veriphyr bright talk 20120523
Accenture
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
Khaled Mosharraf
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
pcidss14s
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
BIJ MISHRA
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
IJECEIAES
 
Disruptive vs. Top Down Change in US Payments in 2016
Disruptive vs. Top Down Change in US Payments in 2016Disruptive vs. Top Down Change in US Payments in 2016
Disruptive vs. Top Down Change in US Payments in 2016
Walter Kitchenman
 
A poster version of HadoopXML
A poster version of HadoopXMLA poster version of HadoopXML
A poster version of HadoopXML
Kyong-Ha Lee
 

Contenu connexe

Tendances

Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Securing The Cloud
Securing The CloudSecuring The Cloud
Securing The Cloud
george.james
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
Editor IJCATR
 
Veriphyr bright talk 20120523
Veriphyr bright talk 20120523Veriphyr bright talk 20120523
Veriphyr bright talk 20120523
Accenture
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
BIJ MISHRA
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
IJECEIAES
 

Tendances (20)

Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Securing The Cloud
Securing The CloudSecuring The Cloud
Securing The Cloud
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Exploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareExploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in Healthcare
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Veriphyr bright talk 20120523
Veriphyr bright talk 20120523Veriphyr bright talk 20120523
Veriphyr bright talk 20120523
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
 

En vedette

MeaWallet Company V3.11
MeaWallet Company V3.11MeaWallet Company V3.11
MeaWallet Company V3.11
Lars Sandtorv
 
HCE cloud payments internet services August 2015
HCE cloud payments internet services August 2015HCE cloud payments internet services August 2015
HCE cloud payments internet services August 2015
Chandra Patni
 
Credit card fraud detection
Credit card fraud detectionCredit card fraud detection
Credit card fraud detection
kalpesh1908
 

En vedette (9)

Disruptive vs. Top Down Change in US Payments in 2016
Disruptive vs. Top Down Change in US Payments in 2016Disruptive vs. Top Down Change in US Payments in 2016
Disruptive vs. Top Down Change in US Payments in 2016
 
A poster version of HadoopXML
A poster version of HadoopXMLA poster version of HadoopXML
A poster version of HadoopXML
 
MeaWallet Company V3.11
MeaWallet Company V3.11MeaWallet Company V3.11
MeaWallet Company V3.11
 
HCE cloud payments internet services August 2015
HCE cloud payments internet services August 2015HCE cloud payments internet services August 2015
HCE cloud payments internet services August 2015
 
Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?
 
Online earning
Online earningOnline earning
Online earning
 
Mobilize Your Loyalty Program with Mobile Wallet
Mobilize Your Loyalty Program with Mobile WalletMobilize Your Loyalty Program with Mobile Wallet
Mobilize Your Loyalty Program with Mobile Wallet
 
Credit card fraud detection
Credit card fraud detectionCredit card fraud detection
Credit card fraud detection
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 

Similaire à PCI-DSS COMPLIANCE ON THE CLOUD

Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Gaurav "GP" Pal
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Amazon Web Services
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
Cisco Service Provider
 
MMB Cloud-Tree: Verifiable Cloud Service Selection
MMB Cloud-Tree: Verifiable Cloud Service SelectionMMB Cloud-Tree: Verifiable Cloud Service Selection
MMB Cloud-Tree: Verifiable Cloud Service Selection
IJAEMSJORNAL
 

Similaire à PCI-DSS COMPLIANCE ON THE CLOUD (20)

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pci Saq D
Pci Saq DPci Saq D
Pci Saq D
 
How To Build Credit Card Payment Processing Platform on AWS?
How To Build Credit Card Payment Processing Platform on AWS?How To Build Credit Card Payment Processing Platform on AWS?
How To Build Credit Card Payment Processing Platform on AWS?
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
Cloud banking
Cloud bankingCloud banking
Cloud banking
 
Bus 421 Research Paper
Bus 421 Research PaperBus 421 Research Paper
Bus 421 Research Paper
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
MMB Cloud-Tree: Verifiable Cloud Service Selection
MMB Cloud-Tree: Verifiable Cloud Service SelectionMMB Cloud-Tree: Verifiable Cloud Service Selection
MMB Cloud-Tree: Verifiable Cloud Service Selection
 
A Breif On Cloud computing
A Breif On Cloud computingA Breif On Cloud computing
A Breif On Cloud computing
 
2011.11.22 - Comment développer un Business de Cloud Builder - 8ème Forum du ...
2011.11.22 - Comment développer un Business de Cloud Builder - 8ème Forum du ...2011.11.22 - Comment développer un Business de Cloud Builder - 8ème Forum du ...
2011.11.22 - Comment développer un Business de Cloud Builder - 8ème Forum du ...
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
 

Plus de Hassan EL ALLOUSSI

Plus de Hassan EL ALLOUSSI (7)

Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...
 
Sécurité dans le cloud
Sécurité dans le cloudSécurité dans le cloud
Sécurité dans le cloud
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
 
Introduction à la certification itil foundation
Introduction à la certification itil foundationIntroduction à la certification itil foundation
Introduction à la certification itil foundation
 
Pmp : management des parties prenantes
Pmp : management des parties prenantesPmp : management des parties prenantes
Pmp : management des parties prenantes
 
Evaluation financiere de projet
Evaluation financiere de projetEvaluation financiere de projet
Evaluation financiere de projet
 
Introduction à la conduite de projet
Introduction à la conduite de projetIntroduction à la conduite de projet
Introduction à la conduite de projet
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Dernier (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

PCI-DSS COMPLIANCE ON THE CLOUD

  • 1. PCI-DSS COMPLIANCE ON THE CLOUD HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD : E-COMMERCE & M-COMMERCE @halloussi Par M. EL ALLOUSSI Dubai, December 2013
  • 2. Summary 1. 2. 3. 4. Cloud Computing : Definitions e-commerce/m-commerce: An overview The Payment Card Industry Data Security Standard (PCI DSS) PCI DSS on Cloud: New challenges
  • 3. Cloud Computing : Definitions
  • 4. Definition of Cloud Computing (NIST) A service which:  Maintains a pool of hardware resources to maximize service, minimize cost  Resource efficiency permits hardware refresh, migration of customer workloads
  • 5. 5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
  • 6. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
  • 7. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
  • 9. Definition of e-commerce/mcommerce  E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
  • 10. Type of e-Commerce     Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer. Business to Business (B2B): this is where the seller and the buyer are both a business organization. Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer. Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
  • 11. Card payment: The stakeholders  Card holder: a person holding a payment card (the consumer in B2C).  Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).  Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.  Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.  Issuing bank: this entity issues the payment cards to the payment card holders.  Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
  • 12. The Payment Card Industry Data Security Standard (PCI DSS)
  • 13. Why is PCI Here? Criminals need money Where are the most cards? In computers. Some organizations still don’t care… especially if the loss is not theirs Credit cards = MONEY Data theft grows and reaches HUGE volume. PAYMENT CARD BRANDS ENFORCE DSS!
  • 14. PCI DSS requirements Activities Describing the Requirements Build and maintain a secure 1. Install and maintain a firewall configuration to protect data; this network. includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability 5. Use and regularly update antivirus software. management program. 6. Develop and maintain secure systems and applications. Implement strong access 7. Restrict access to data by business on a needto-know basis. control measures. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test 10. Track and monitor all access to network resources and networks. cardholder data. 11. Regularly test security systems and processes. Maintain an Information 12. Maintain a policy that addresses information security. security policy.
  • 16. PCI DSS on Cloud: New challenges
  • 17. PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including:      The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is outsourcing to the CSP The services and system components that the CSP has validated within its own operations The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services)
  • 18. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
  • 19. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example:
  • 20. CSA Cloud Controls Matrix Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
  • 21. CSA Cloud Controls Matrix          The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as: ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum
  • 22. CSA Cloud Controls Matrix Cloud Controls Matrix domains include:  Compliance  Data Governance  Facility Security  Human Resource Security  Information Security  Legal  Operations Management  Risk Management  Release Management  Resiliency  Security Architecture
  • 23. 23 Example: Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ………………………
  • 24. 24 Example: Requirement 12.8 “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.”
  • 25. Example: Amazon/ Requirement 9 25 Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
  • 26. 26 PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”

Notes de l'éditeur

  1. This is a pretty self explanatory slide that defines PCI DSS and provides motivations for why PCI is here
  2. Here is an example article that follows that model. The link is: http://searchcloudcomputing.techtarget.com/tip/Is-PCI-compliance-attainable-in-a-public-cloud
  3. Source: standard CSA slide
  4. http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
  5. http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
  6. http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/Q: Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.Will AWS cooperate with forensic investigations if required?Yes. AWS is classified as a shared hosting provider and as specified in DSS requirement A.1.4 has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) as required to perform forensic investigations. AWS also meets all breach notification requirements as applicable to AWS.PCI basis:“For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance:They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments. See the bullet beginning “For managed service provider (MSP) reviews,” in Item 3, “Details about Reviewed Environment,” in the “Instructions and Content for Report on Compliance” section, below, for more information. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data. Refer to Requirement 12.8 in this document for details.
  7. PCI SSC virtualization guidance:“In addition to the challenges of defining scope and assigning responsibilities across a shared infrastructure, the inherent characteristics of many cloud environments present additional barriers to achieving PCI DSS compliance. Some of these characteristics include:  The distributed architectures of cloud environments add layers of technology and complexity to the environment.  Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” “In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.As with all hosted services in scope for PCI DSS, the hosted entity should request sufficient assurance from their cloud provider that the scope of the provider’s PCI DSS review is sufficient, and that all controls relevant to the hosted entity’s environment have been assessed and determined to be PCI DSS compliant. The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer’s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ―in place‖ and ―not in place‖; and confirmation of when the assessment was conducted.Any aspects of the cloud-based service not covered by the cloud provider’s PCI DSS review should be identified and documented in a written agreement. The hosted entity should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity’s responsibility to manage and assess.”