PCI-DSS COMPLIANCE ON THE CLOUD

HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD :

E-COMMERCE & M-COMMERCE

By Mr EL ALLOUSSI@halloussi

Dubai, December 2013

Summary

1. Cloud Computing : Definitions2. e-commerce/m-commerce: An

overview3. The Payment Card Industry Data

Security Standard (PCI DSS)4. PCI DSS on Cloud: New challenges

Cloud Computing : Definitions

Definition of Cloud Computing (NIST)

A service which: Maintains a pool of hardware resources to maximize service, minimize cost Resource efficiency permits hardware refresh, migration of customer workloads

5 Essential Cloud Characteristics

1. On-demand self-service 2. Broad network access3. Resource pooling

(Location independence)4. Rapid elasticity5. Measured service

3 Cloud Service Models

1. Cloud Software as a Service (SaaS) Use provider’s applications over a network

2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud

3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and

other fundamental computing resources

4 Cloud Deployment Models

Private cloud Enterprise owned or leased

Community cloudShared infrastructure for specific community

Public cloudSold to the public, mega-scale infrastructure

Hybrid cloudComposition of two or more clouds

e-commerce/m-commerce: An overview

Definition of e-commerce/m-commerce

E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.

Type of e-Commerce

Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer.

Business to Business (B2B): this is where the seller and the buyer are both a business organization.

Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer.

Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.

Card payment: The stakeholders

Card holder: a person holding a payment card (the consumer in B2C).

Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).

Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.

Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.

Issuing bank: this entity issues the payment cards to the payment card holders.

Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).

The Payment Card Industry Data Security Standard (PCI DSS)

Why is PCI Here?

Criminals need money

Credit cards = MONEY

Where are the most cards?

In computers.

Data theft grows and

reaches HUGE

volume.

Some organizations

still don’t care…

especially if the loss is not

theirs

PAYMENT CARD

BRANDS ENFORCE

DSS!

PCI DSS requirements

Activities Describing the RequirementsBuild and maintain a secure network.

1. Install and maintain a firewall configuration to protect data; this includes firewall on client.2. Do not use vendor supplied defaults for system passwords and other security parameters.

Protect cardholder data.

3. Protect stored cardholder data.4. Encrypt transmission of cardholder data and sensitive information across open public networks.

Maintain a vulnerability management program.

5. Use and regularly update antivirus software.6. Develop and maintain secure systems and applications.

Implement strong access control measures.

7. Restrict access to data by business on a needto-know basis.8. Assign a unique ID to each person with computer access.9. Restrict access to cardholder data.

Regularly monitor and test networks.

10. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.

Maintain an Information security policy.

12. Maintain a policy that addresses information security.

EXAMPLE

EXAMPLE

PCI DSS on Cloud: New challenges

PCI DSS Cloud Computing Guidelines (2013)

The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including: The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is

outsourcing to the CSP The services and system components that the CSP has

validated within its own operations The service option that the client has selected to engage the

CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to

proactively manage the client’s compliance (for example, additional managed security services)

PCI DSS Cloud Computing Guidelines (2013)

Define Responsibilities such as in the following example:

PCI DSS Cloud Computing Guidelines (2013)

Define Responsibilities such as in the following example:

CSA Cloud Controls Matrix

Controls derived from guidance

Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA

Rated as applicable to SaaS/PaaS/IaaS

Customer vs Provider role

Help bridge the “cloud gap”

for IT & IT auditorshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

CSA Cloud Controls Matrix The Cloud Security Alliance Cloud Controls Matrix

(CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as:

ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum NERC CIP

CSA Cloud Controls Matrix

Cloud Controls Matrix domains include: Compliance Data Governance Facility Security Human Resource Security Information Security Legal Operations Management Risk Management Release Management Resiliency Security Architecture

Example: Requirement 12.8

Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

….…………………. however ………………………

23

Example: Requirement 12.8

“If the merchant shares cardholder data with a … service provider, the merchant must ensure that

there is an agreement with that …service provider that includes their acknowledgement

that the third party processor/service provider is responsible for the security of

the cardholder data it possesses.

In lieu of a direct agreement, the merchant must obtain evidence of the … provider's

compliance with PCI DSS via other means, such as via a letter of attestation.”

24

Example: Amazon/ Requirement 9Q: “Do QSAs for Level 1 merchants

require a physical walkthrough of a service provider’s data center?

A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”

25

PCI SSC on Cloud Challenges

“The distributed architectures of cloud environments add layers of technology and complexity to the environment.

Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet.

The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid.

The hosted entity has limited or no visibility into the underlying infrastructure and related security controls.

The hosted entity has limited or no oversight or control over cardholder data storage.

The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”

26

Questions?

THANK YOU@halloussi

fr.slideshare.net/alloussi