1. PCI-DSS COMPLIANCE ON THE
CLOUD
HOW TO OUTSOURCE PAYMENT
DATA STORAGE ON THE CLOUD :
E-COMMERCE & M-COMMERCE
@halloussi
Par M. EL ALLOUSSI
Dubai, December 2013
2. Summary
1.
2.
3.
4.
Cloud Computing : Definitions
e-commerce/m-commerce: An
overview
The Payment Card Industry Data
Security Standard (PCI DSS)
PCI DSS on Cloud: New challenges
4. Definition of Cloud Computing (NIST)
A service which:
Maintains a pool of hardware resources
to maximize service, minimize cost
Resource efficiency permits hardware
refresh, migration of customer workloads
6. 3 Cloud Service Models
1.
Cloud Software as a Service (SaaS)
2.
Cloud Platform as a Service (PaaS)
3.
Use provider’s applications over a network
Deploy customer-created applications to a cloud
Cloud Infrastructure as a Service (IaaS)
Rent processing, storage, network capacity, and other
fundamental computing resources
7. 4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
9. Definition of e-commerce/mcommerce
E-commerce or electronic commerce is
the buying and selling of products or
services via the web, Internet or other
computer networks. M-commerce or
mobile commerce is the buying of
products or services via a device like
Smartphone, PDA…etc.
10. Type of e-Commerce
Business to Consumer (B2C): this is where the
seller is a business organization and the buyer is
a consumer.
Business to Business (B2B): this is where the
seller and the buyer are both a business
organization.
Consumer to Consumer (C2C): this is where the
seller is a consumer and the buyer is a consumer.
Consumer to Business (C2B): this is where the
consumer can name a price they are willing to pay
for a requirement and business organizations can
decide whether to meet the requirement for the
price. As this is consumer driven and not seller
driven this becomes a C2B model.
11. Card payment: The
stakeholders
Card holder: a person holding a payment card (the consumer in B2C).
Merchant: the business organization selling the goods and services (The
merchant sets up a contract known as a merchant account with an
acquirer).
Service provider: this could be the merchant itself (Merchant service
provider (MSP)) or an independent sales organization providing some or
all of the payment services for the merchant.
Acquirer or acquiring bank: this connects to a card brand network for
payment processing and also has a contract for payment services with a
merchant.
Issuing bank: this entity issues the payment cards to the payment card
holders.
Card brand: this is a payment system (called association network) with
its own processors and acquirers (such as Visa, MasterCard or CMI card
in Morocco).
13. Why is PCI Here?
Criminals need
money
Where are the
most cards?
In computers.
Some
organizations still
don’t care…
especially if the
loss is not theirs
Credit cards = MONEY
Data theft
grows and
reaches HUGE
volume.
PAYMENT
CARD
BRANDS
ENFORCE
DSS!
14. PCI DSS requirements
Activities
Describing the Requirements
Build and maintain a secure 1. Install and maintain a firewall configuration to protect data; this
network.
includes firewall on client.
2. Do not use vendor supplied defaults for system passwords and
other security parameters.
Protect cardholder data.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data and sensitive
information across open public networks.
Maintain
a
vulnerability 5. Use and regularly update antivirus software.
management program.
6. Develop and maintain secure systems and applications.
Implement strong access 7. Restrict access to data by business on a needto-know basis.
control measures.
8. Assign a unique ID to each person with computer access.
9. Restrict access to cardholder data.
Regularly monitor and test 10. Track and monitor all access to network resources and
networks.
cardholder data.
11. Regularly test security systems and processes.
Maintain an Information 12. Maintain a policy that addresses information security.
security policy.
17. PCI DSS Cloud Computing
Guidelines (2013)
The responsibilities delineated between the client and the
Cloud Service Provider (CSP) for managing PCI DSS controls
are influenced by a number of variables, including:
The purpose for which the client is using the cloud service
The scope of PCI DSS requirements that the client is outsourcing to the
CSP
The services and system components that the CSP has validated within
its own operations
The service option that the client has selected to engage the CSP
(IaaS, PaaS or SaaS)
The scope of any additional services the CSP is providing to proactively
manage the client’s compliance (for example, additional managed
security services)
18. PCI DSS Cloud Computing
Guidelines (2013)
Define Responsibilities such as in the following example:
19. PCI DSS Cloud Computing
Guidelines (2013)
Define Responsibilities such as in the following example:
20. CSA Cloud Controls Matrix
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditors
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
21. CSA Cloud Controls Matrix
The Cloud Security Alliance Cloud Controls Matrix (CCM)
provides a controls framework in 13 domains aligned with
industry-accepted security standards, regulations, and
controls frameworks such as:
ISO 27001/27002
ISACA COBIT
PCI DSS
NIST
BITS
GAPP
HIPAA/HITECH
Jericho Forum
23. 23
Example: Requirement 12.8
Q: Does PCI DSS apply to merchants who use
payment gateways to process transactions on their
behalf, and thus never store, process or transmit
cardholder data?
A: PCI DSS requirements are applicable if a Primary
Account Number (PAN) is stored, processed, or
transmitted. If PAN is not stored, processed, or
transmitted, PCI DSS requirements do not apply.
….…………………. however ………………………
24. 24
Example: Requirement 12.8
“If the merchant shares cardholder data with a … service
provider, the merchant must ensure that there is an
agreement with that …service provider that includes their
acknowledgement that the third party
processor/service provider is responsible for the
security of the cardholder data it possesses.
In lieu of a direct agreement, the merchant must obtain
evidence of the … provider's compliance with PCI
DSS via other means, such as via a letter of
attestation.”
25. Example: Amazon/
Requirement 9
25
Q: “Do QSAs for Level 1 merchants require a
physical walkthrough of a service provider’s
data center?
A: No. A merchant can obtain certification
without a physical walkthrough of a service
provider’s data center if the service provider is
a Level 1 validated service provider (such as
AWS). A merchant’s QSA can rely on the work
performed by our QSA, which included an
extensive review of the physical security of our
data centers.”
26. 26
PCI SSC on Cloud Challenges
“The distributed architectures of cloud environments add layers of
technology and complexity to the environment.
Public cloud environments are designed to be public-facing, to allow
access into the environment from anywhere on the Internet.
The infrastructure is by nature dynamic, and boundaries between tenant
environments can be fluid.
The hosted entity has limited or no visibility into the underlying
infrastructure and related security controls.
The hosted entity has limited or no oversight or control over cardholder
data storage.
The hosted entity has no knowledge of ―who‖ they are sharing
resources with, or the potential risks their hosted neighbors may be
introducing to the host system, data stores, or other resources shared
across a multi-tenant environment”
This is a pretty self explanatory slide that defines PCI DSS and provides motivations for why PCI is here
Here is an example article that follows that model. The link is: http://searchcloudcomputing.techtarget.com/tip/Is-PCI-compliance-attainable-in-a-public-cloud
Source: standard CSA slide
http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
http://selfservice.talisma.com/article.aspx?article=5378&p=81Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.http://selfservice.talisma.com/article.aspx?article=9488&p=81Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/Q: Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.Will AWS cooperate with forensic investigations if required?Yes. AWS is classified as a shared hosting provider and as specified in DSS requirement A.1.4 has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) as required to perform forensic investigations. AWS also meets all breach notification requirements as applicable to AWS.PCI basis:“For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance:They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments. See the bullet beginning “For managed service provider (MSP) reviews,” in Item 3, “Details about Reviewed Environment,” in the “Instructions and Content for Report on Compliance” section, below, for more information. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data. Refer to Requirement 12.8 in this document for details.
PCI SSC virtualization guidance:“In addition to the challenges of defining scope and assigning responsibilities across a shared infrastructure, the inherent characteristics of many cloud environments present additional barriers to achieving PCI DSS compliance. Some of these characteristics include: The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” “In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.As with all hosted services in scope for PCI DSS, the hosted entity should request sufficient assurance from their cloud provider that the scope of the provider’s PCI DSS review is sufficient, and that all controls relevant to the hosted entity’s environment have been assessed and determined to be PCI DSS compliant. The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer’s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ―in place‖ and ―not in place‖; and confirmation of when the assessment was conducted.Any aspects of the cloud-based service not covered by the cloud provider’s PCI DSS review should be identified and documented in a written agreement. The hosted entity should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity’s responsibility to manage and assess.”