Protecting PCI DSS Governed Data in the Cloud
Sector specific data protection and security requirements exist in many countries. For example, in Retail, Payment Card Industry Data Security Standard (PCI DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information. PerspecSys’ Cloud Data Protection Gateway is used by leading organizations to achieve PCI DSS compliance while moving to the cloud.
PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
All merchants that accept payment cards are required to be compliant with PCI DSS. The PCI DSS requirements (available at https://www.pcisecuritystandards.org/) consist of common sense steps that mirror security best practices.
Related Guidance for the PCI Data Security Standard
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Steps 3 & 4 of the PCI DSS Requirements specify that cardholder data, including Primary Account Number (PAN), cardholder name, and expiration date need to be protected when it is being stored (data “at rest”) or during transmission across public networks (data “in flight”). When cardholder data is stored and processed in the cloud, companies need to ensure they are taking the proper steps to maintain compliance, which can be an extremely complex task.
Adding to the complexity of PCI cloud compliance is the fact that the latest version of PCI DSS does not provide detailed guidance on the concept of virtualization, in which the notions of multi-tenancy and shared responsibility are introduced. PerspecSys’ Cloud Data Protection Gateway is designed to help enterprises in this situation. Since the gateway enables companies to keep their sensitive cardholder information on-premise, they do not need to be concerned about the additional PCI compliance exposure that is introduced by the cloud. This is because the card-related information that is stored and processed in the cloud is either encrypted or tokenized and therefore is undecipherable and unusable if it is ever breached.
Only PerspecSys Can Deliver:
- Cloud Data Protection – No data is shared in “the clear” outside of your network control; data is secured with field-level control based on user defined tokenization or encryption options.
- Tokenization and Industry Approved “Strong Encryption” – Organizations can select from an array of included tokenization or encryption options or utilize their own encryption approaches.
- Full SaaS Application Functionality – Users have complete access to the features and functions of the SaaS application such as searching, reporting, and e-mailing.
- Simple Configuration and Deployment – Administrative dashboard allows companies to easily configure their data protection policies and adapters provide connections with popular Cloud-based applications.
- Flexibility – The solution is designed to fit with the way organizations want to do business. For example, the Cloud Data Protection Gateway can be deployed in a variety of architectural configurations to meet an organization’s specific security needs.
Learn more about the PerspecSys Cloud Data Protection Gateway by visiting our Resource Center.