PCI DSS

Protecting PCI DSS Governed Data in the Cloud

Sector specific data protection and security requirements exist in many countries. For example, in Retail, Payment Card Industry Data Security Standard (PCI DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information.  PerspecSys’ Cloud Data Protection Gateway is used by leading organizations to achieve PCI DSS compliance while moving to the cloud.

PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.

All merchants that accept payment cards are required to be compliant with PCI DSS.  The PCI DSS requirements (available at https://www.pcisecuritystandards.org/) consist of common sense steps that mirror security best practices.

Related Guidance for the PCI Data Security Standard

Build and Maintain a Secure Network

Requirement 1:   Install and maintain a firewall configuration to protect cardholder data
Requirement 2:   Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3:   Protect stored cardholder data
Requirement 4:   Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5:   Use and regularly update anti-virus software
Requirement 6:   Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7:   Restrict access to cardholder data by business need-to-know
Requirement 8:   Assign a unique ID to each person with computer access
Requirement 9:   Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10:  Track and monitor all access to network resources and cardholder data
Requirement 11:  Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12:  Maintain a policy that addresses information security

Steps 3 & 4 of the PCI DSS Requirements specify that cardholder data, including Primary Account Number (PAN), cardholder name, and expiration date need to be protected when it is being stored (data “at rest”) or during transmission across public networks (data “in flight”). When cardholder data is stored and processed in the cloud, companies need to ensure they are taking the proper steps to maintain compliance, which can be an extremely complex task.

Adding to the complexity of PCI cloud compliance is the fact that the latest version of PCI DSS does not provide detailed guidance on the concept of virtualization, in which the notions of multi-tenancy and shared responsibility are introduced. PerspecSys’ Cloud Data Protection Gateway is designed to help enterprises in this situation. Since the gateway enables companies to keep their sensitive cardholder information on-premise, they do not need to be concerned about the additional PCI compliance exposure that is introduced by the cloud. This is because the card-related information that is stored and processed in the cloud is either encrypted or tokenized and therefore is undecipherable and unusable if it is ever breached.

Only PerspecSys Can Deliver:

  • Cloud Data Protection – No data is shared in “the clear” outside of your network control; data is secured with field-level control based on user defined tokenization or encryption options.
  • Tokenization and Industry Approved “Strong Encryption” – Organizations can select from an array of included tokenization or encryption options or utilize their own encryption approaches.
  • Full SaaS Application Functionality – Users have complete access to the features and functions of the SaaS application such as searching, reporting, and e-mailing.
  • Simple Configuration and Deployment – Administrative dashboard allows companies to easily configure their data protection policies and adapters provide connections with popular Cloud-based applications.
  • Flexibility – The solution is designed to fit with the way organizations want to do business. For example, the Cloud Data Protection Gateway can be deployed in a variety of architectural configurations to meet an organization’s specific security needs.

Learn more about the PerspecSys Cloud Data Protection Gateway by visiting our Resource Center.

 

 

 

Next Steps





Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).
                                                                                        - Visa, Inc.


 

Products

How We Help

Resources

Company

UNITED STATES +1 (703) 712-4752
1750 Tysons Blvd, Suite 1500 - McLean, VA 22102

+1 (415) 655-6733
71 Stevenson Street, Suite 400 - San Francisco, CA 94105
CANADA +1 (905) 857-0411
86 Healey Rd. - Bolton, ON L7E 5A7
Follow Us
Facebook Twitter LinkedIn LinkedIn LinkedIn
Copyright © 2013 PerspecSys Inc.

EUROPE +44 (207) 868-2037
68 Lombard Street - London, EC3V 9LJ