Skip to content

Achieving PCI DSS Compliance for Cloud Infrastructure

Introduction

In today's digital environment, protecting cardholder data is critical. For any organization that is involved in storing, processing, or transmitting cardholder data or sensitive authentication data, including fintech companies, the Payment Card Industry Data Security Standards (PCI DSS) is applicable to you. The latest PCI DSS Standard (3.2.1) was released in May 2018.

PCI DSS compliance can feel overwhelming for decision makers. On this page, we breakdown the complexities of PCI DSS compliance, what it is, why it is important for organizations to be PCI DSS compliant, and the PCI DSS requirements that organizations in the cloud should be concerned with. 

What is PCI DSS?

PCI is a compliance standard for protecting payment cardholder data. The overarching goal is to develop a robust security process for payment card data that covers prevention, detection, and response to security incidents. 

PCI-web-image

Why is PCI DSS Compliance Important?

Before we discuss PCI compliance standards in more depth, it's important to note that credit cards are safe and getting more secure everyday with new rules and regulations. However, even the biggest brands can still be at risk fo large data breaches related to credit cards.

Payment security is paramount. If a bad actor gains unlimited access to cardholder data and leaks it to the internet, repercussions for organizations for violating PCI compliance standard include:

  • Steep fines for PCI DSS compliance violations
  • Financial losses
  • Reputational damage
  • Lawsuits
  • Exfiltration of customer credit card information and identities

PCI DSS Requirements for Compliance in the Cloud

Of the 12 total PCI DSS requirements and 6 goals in PCI DSS standards, the following PCI DSS requirements listed below are the most relevant for compliance analysts in the cloud

ComplianceChecklist image without header

Build and Maintain a Secure Network and Systems

If a payment system network is not secured, malicious individuals can access it and steal cardholder data and sensitive authentication data.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are the first line of defense in protecting cardholder data. They should protect all systems from unauthorized access from untrusted networks. This requirement primarily impacts AWS VPCs and security groups, Azure virtual networks and network security groups, and Google Cloud VPCs and firewall rules.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The failure to change default security parameters upon deployment is similar to leaving your store physically unlocked when you go home for the night. In AWS, this requirement is relevant to resources that can be used to ensure secure communications, such as ELB listeners, S3 bucket policies, and SQS policies. In Azure, this control is relevant to resources such as PostgreSQL database servers and App Service web apps. In Google Cloud, it's relevant to resources such as load balancers and SQL database instances.

Protect Cardholder Data

Preventing malicious individuals from accessing sensitive payment information is one of the most important parts of PCI compliance.  Not only does a compromised payment card hurt the customer, it also hurts your business.

Requirement 3: Protect stored cardholder data

One way to protect cardholder data is to ensure that its storage and retention are limited. PCI suggests a good rule of thumb: "Remember, if you don't need it, don't store it!"

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Another way of protecting cardholder data is to encrypt it in transit. Malicious individuals can intercept or divert cardholder data sent over open networks, so organizations should render the data unreadable.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

The more people who have access to cardholder data, the higher the risk of a breach is. Access should be granted on a need-to-know basis to ensure the data can only be accessed by authorized personnel.

Requirement 8: Assign a unique ID to each person with computer access

Each person with access to system components should be assigned a unique ID to ensure actions on critical data are only performed by authorized users. A secure password policy is imperative.

Regularly Monitor and Test Networks

Malicious actors can exploit holes in a network to access payment card applications and cardholder data, so organizations must regularly monitor networks to identify and correct vulnerabilities.

Requirement 10: Track and monitor all access to network resources and cardholder data

It's extremely challenging to find the cause of compromised data without system activity logs. Logging mechanisms are crucial to effective vulnerability management because they allow thorough tracking and analysis when an incident occurs. For this reason, AWS CloudTrail trails, Azure Monitor log profiles, and Google Cloud logging metric filters and alerts are important to Requirement 10.