Eclipse Authors: Pat Romanski, Elizabeth White, Liz McMillan, David H Deans, JP Morgenthal

Blog Feed Post

Cloud PCI Compliance: The Checklist

PCI Cloud Security cloud compliance  infoq Cloud PCI Compliance: The ChecklistIntroduction to PCI DSS and the Cloud

The news is always full of major incidents of consumer credit card information being compromised. To protect against dangerous hacks that can lead to thefts of business data or customer identities, best practices are set forth in the Payment Card Industry Data Security Standard (PCI DSS). These 12 steps set up a framework for a secure payment environment.

If your business stores, processes, or transmits payment cardholder data in the cloud, you are bound by PCI DSS. But unlike “brick and mortar” data centers that must also adhere to PCI DSS, those operating in the cloud have additional needs. For example, 6 of the 12 steps outlined by PCI DSS either require or are assisted by encryption of data. However, to securely encrypt in the cloud and comply with PCI DSS, you must keep control of the encryption keys. But as a cloud operation, can you keep your encryption keys in the cloud and at the same time keep them safe?

The answer is – you can.

We have compiled this checklist of the requirements of PCI DSS as they relate to cloud based operations. Ultimately, you may need to employ an external professional auditor to review your system for certification. Use this list to understand compliance, to plan for compliance, and most importantly, to protect yourself and your customers.

Like any 12-step program, adhering to PCI DSS takes commitment, but succeeding at it protects you and your customers.

12-Step Checklist

Use a firewall

You must install and consistently maintain a firewall configuration to protect your data. In the cloud, your firewall is software-based, and it will control the access to your data based on a set of rules. Choosing those rules well, as well as segmenting your network, is crucial to limiting the potential attack “surface”. It is an important part of Software Defined Networking.

Try to create a clearly defined and limited scope where sensitive data resides, which is easier to manage and control precisely because it has been isolated through firewall and networking rules.

Good examples include VMware’s “software defined data center” approach which includes asoftware-defined Firewall, Amazon’s AWS Security Groups, and the Dome9 cloud firewall. This is the first important step to protecting yourself against hackers.

Do not use defaults

For all of your systems, never use the default passwords and other security parameters provided by the vendors of commercial or open source software. Hackers are familiar with the defaults. Always change this information to something that is only known by you.

In the February 2013 PCI DSS Cloud Computing Guidelines, the Security Standards Council clearly states that businesses that use IaaS (not their cloud service providers) have the responsibility to securely configure their operating systems, applications, and virtual devices. PaaS setups share the responsibility with their provider for the OS, but the client controls the applications and software above the OS.

In IaaS and PaaS setups, you are also inheriting the settings and VM images of your provider. Check them carefully.

In fact, the best choice for you is to use vendors that offer no defaults to sensitive security parameters, but rather have processes for quickly and easily setting and enforcing unique values. Ask your vendors about this best practice.

Protect card-holder data

Seems straight-forward, but the PCI DSS enumerates the requirements in a very detailed way. In fact, this is the heart of PCI DSS. It implies many safeguards on what data is stored and how it is stored, which apply to traditional as well as cloud deployments. In the cloud, encryption becomes particularly important as a way to replace traditional physical safeguards. Data needs to be encrypted in a way that it is unreadable and unusable to those without the key. To comply, you must use hashing and encryption methods and strong key management to keep your data from being used maliciously by intruders.

Your keys protect your cardholder data, but you must protect your keys. In the cloud, your cryptographic keys must be managed separately from all other system components. Managing keys, distributing them, and storing them become a focal point for cloud applications complying with PCI DSS. This can be tricky, since ideally you would like your encryption keys to stay outside the cloud, for security; yet to utilize cloud computational resources, you need the keys inside the cloud. Fortunately, technology does offer neat solutions to these issues; look for “split key” cloud key management solutions that allow encryption keys to work in the cloud while you control them by keeping your “master key” share outside the cloud.

Encrypt data in transit

Any data that is sent over open public networks may be accessed by malicious individuals. To protect against this, always encrypt your data while in transit. Always enable SSL/TLS and consider IPsec communications and VPNs. Consider encryption in transit in conjunction with the segmentation and firewall rules you set up previously. Ideally SSL/TLS encryption should be maintained to your application servers, not terminated too near the network edge or at the load balancer. Since some security tools do need to look at the transmitted data (e.g. Web Application Firewalls), consider re-encrypting after they’ve done their job, or placing them close to application servers.

Cloud businesses do have the means to protect transmitted data. Best practice is to segment your deployment into public-facing segments and private ones, and maintain encryption (or re-encrypt if necessary) till data reaches the more private segments where app servers reside. Also consider encrypting transmission between components within your own environment – for example consider using TLS/SSL encryption for the communication between your application servers and your database.

Do use products that allow you control of the in-transit encryption parameters, such as certificates and keys. Choose cloud key management tools that assist in this task.

Use anti-virus software

Make sure your anti-virus tools are always updated with the latest releases from the vendor.

For a PCI compliant system – whether in a traditional or cloud deployment – to be infected is quite serious. Make sure consumer facing parts of the system are very carefully limited in scope, as mentioned before, to reduce the opportunities for infection. Take proper steps to regularly scan your system and your network, to quickly detect viral infections, bots and the like.

In the cloud, naturally, this applies to your guest OS – on your VM. Install appropriate anti-virus and network scanning capabilities on your cloud servers and in your environment.

Secure your systems and applications

All of your systems must always be up to date with the latest software patches and updates. Enable updates for both the OS and vendor software, and always check that everything is updated properly.

Look at it from the attackers point of view; your system contains financial information so is an attractive target for attacks. Keeping your systems and servers up to date minimizes the chance of new exploits from being used.

Cloud service providers (rightly) maintain that secure coding and proper use of tools is the client’s responsibility. Patching and maintenance of the OS, tools and software is the IaaS client’s responsibility and in some cases, the responsibility of PaaS clients as well. Quite simply, use tools and vendors that allow you to patch as frequently as necessary and with ease; “push the button” ease or auto-patching should be sought.

Restrict access

Access to your cardholder data, as well as to your encryptions keys, should always be limited to those who have a valid business need to know. Users who access this information should do so with personal accounts and all access should be logged.

Though in cloud situations, you may not know the physical location of your data, you are still responsible to define and restrict the access to your data. You should of course use the access tools provided by your provider, OS and software. Limit the number of administrators, and make sure actions they take are logged and can be traced back to a username that belongs to one identifiable person.

Data encryption can help to control access by limiting access to the “vectors” you have foreseen and place strong limitations on hacks and human error. In essence, in cloud situations, you replace physical walls by encryption – think of encryption as the walls around your data.

eek solutions where administrators simply never see encryption keys nor sensitive card holder data. This goes back to strong cloud key management.

Carefully manage users

Each person with access to your systems must have a unique ID and strong authentication. This ensures that each person is accountable for his actions and for any breaches that occurred using his ID.

Your authentication systems should be reviewed carefully, both for end users and for administrators. In the PCI context, administrative rights are especially sensitive. An administrator should never be allowed anonymity, or be allowed to hide behind a group name. And administrators should be isolated from data through encryption.

Given the importance of encryption in the cloud, you should restrict all users, and certainly administrators, by never allowing them to actually see sensitive keys such as encryption keys. Your cloud key management solution should enforce this approach, and be highly automated so as to make it practical and bring down hassles to your users.

Restrict physical access

In a cloud setup this has two aspects. One is that breaches are not always committed over the internet from faraway places, attacks can also happen when a hacker sits at your computer. Any physical device that holds protected data (paper, CDs, thumb-drives, laptops, mobile devices, backup drives, etc.) should be under lock and key and access should be carefully authorized and always logged.

Another is the so called insider threat. A cloud provider employee gone malicious or just one that made an error of judgment while providing maintenance. Review your provider’s documentation as regards their internal security policies; a good provider should be fairly open with this sort of information. Make sure to use encryption, and make sure that the encryption system you use keeps encryption keys under your control – administration of key management systems should not be with cloud provider personnel.

Track and monitor

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This must be an ongoing process.

Make sure the cloud service provider manages monitoring and logging for their infrastructure and can provide logs. However the guest Operating System, your Application and your user activity are your responsibility. Make sure to track and monitor them.

Test systems and processes

Test systems before you roll them out and on a regular basis afterwards, including security reviews done by your own staff and regular penetration testing – probes of your environment as if you were a hacker to expose any security flaws in your setup. Find your own weaknesses and fix them before someone else finds them.

Maintain a policy

To comply with PCI DSS, you must be organized and methodical. This checklist can get you started in creating your written policy of high level steps to address your information security.


PCI DSS was created to protect consumers from financial and identity theft. By adhering to it, you are also protecting yourself from the liability, financial damages, and damaged reputation that can be the result of a security breach.

Though it may be quite involved to get compliant, it is certainly less involved than dealing with a breach.

The best way to safeguard yourself is to do business with companies that are familiar with the regulations and their challenges and have developed ways to secure your data.

The post Cloud PCI Compliance: The Checklist appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
BnkToTheFuture.com is the largest online investment platform for investing in FinTech, Bitcoin and Blockchain companies. We believe the future of finance looks very different from the past and we aim to invest and provide trading opportunities for qualifying investors that want to build a portfolio in the sector in compliance with international financial regulations.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settle...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Imagine if you will, a retail floor so densely packed with sensors that they can pick up the movements of insects scurrying across a store aisle. Or a component of a piece of factory equipment so well-instrumented that its digital twin provides resolution down to the micrometer.
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy high-performance Java applications that use Java 3D and/or Jogl without having to run an installer. We are subject to the constraint that the applications be signed and deployed so that they can be run in a trusted environment (i.e., outside of the sandbox). Further, we seek to do this in a way that does not depend on bundling a JRE with our applications, as this makes downloads and installations rat...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
The IoT Will Grow: In what might be the most obvious prediction of the decade, the IoT will continue to expand next year, with more and more devices coming online every single day. What isn’t so obvious about this prediction: where that growth will occur. The retail, healthcare, and industrial/supply chain industries will likely see the greatest growth. Forrester Research has predicted the IoT will become “the backbone” of customer value as it continues to grow. It is no surprise that retail is ...