PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration

As cloud storage becomes the mainstream option for most businesses, industries like banking may feel hesitant to migrate due to compliance and security concerns. While there are certain security risks that comes with using cloud services, financial institutions have the upper hand. Compliance standards like Gramm-Leach-Bliley Act (GLBA) also known as the Financial Modernization Act of 1999 and PCI DSS continually audit the financial industry for security risks.

Regulations are consistently evolving to protect the financial industry and their customers. As compliance standards increase, so does the confidence that banking organizations have in the cloud. In fact, a recent 451 research survey found that more than one in four businesses intend to move all IT infrastructure and workloads to the cloud in the next 12 to 24 months.

The move towards greater use of cloud computing services comes at a time when data compliance regulations are tightening significantly. Is your financial organization ready to migrate to the cloud? If so, how are you prepared to protect your data against PCI DSS compliance? If you are unsure, here’s a guide to prepare you for PCI DSS compliance in the cloud.

What is PCI DSS Compliance?

Before we get into creating a smooth cloud migration plan, here is a quick review of PCI DSS for those who might not be up-to-date on current regulations and policies. The PCI standards applies to any company, big or small, that accepts, stores, or transmits credit card payments or payment information.

PCI DSS is an information security standard for organizations that handle branded credit cards from the major card schemes. It is important to know that while the PCI Security Standards Council establishes the rules, it is not in charge of enforcing them. Card issuers, auditors, and banks are the enforcers.

The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by training of security professionals.

According to the PCI DSS Quick Reference Guide, the standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council.

What Regulations are In Place for Cloud Compliance?

According to the PCI SSC Cloud Computing Guidelines, cloud computing can be used to provide customers with access to the latest technologies without a costly investment in hardware and software. Due to the economies of scale associated with the delivery of cloud services, cloud providers can often deliver access to a greater range of technologies and security resources than that to which the customer might otherwise have access.

Organizations without a depth of technically skilled personnel may also wish to leverage the skills and knowledge provided by cloud provider personnel to securely manage their cloud operations. Cloud computing therefore holds significant potential to help organizations reduce IT complexity and costs, while increasing agility. Cloud computing is also seen as a means to accommodate business requirements for high availability and redundancy, including business continuity and disaster recovery.

The responsibilities defined between the customer and the cloud provider for managing PCI DSS controls are influenced by a number of variables, including but not limited to:

• The purpose for which the customer is using the cloud service
• The scope of PCI DSS requirements that the customer is outsourcing to the cloud provider
• The services and system components that the cloud provider has validated within its own operations
• The service option that the customer has selected to engage the cloud provider (e.g., IaaS, PaaS or SaaS)
• The scope of any additional services the cloud provider is providing to proactively manage the customer’s compliance (for example, additional managed security services)

How to Comply with PCI DSS

PCI DSS applies to merchants and other entities that store, process, and/or transmit cardholder data. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs.

Depending on an entity’s classification or risk level (determined by the individual payment card brands),

processes for compliance usually follow these steps:

1. Scope: determine which system components and networks are in scope for PCI DSS
2. Assess: examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
3. Report: assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
4. Attest: complete the appropriate Attestation of Compliance (AOC)
5. Submit: submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
6. Remediate: if required, perform remediation to address requirements that are not in place, and provide an updated report

Compliance Guide to a Smooth Cloud Migration

Going by industry-projections alone, LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study predicts that 41 percent of enterprise workloads will be run on public cloud platforms by 2020. With that, there is a need to ensure a smooth and compliant cloud migration.

Here is your complete compliance guide to a smooth cloud migration.

1. Find a Highly Compliant and Stringently Audited Cloud Provider

When vetting out cloud computing service providers, they should meet the requirements of PCI DSS according to your agreed upon guidelines.

When handling cardholder data, a safe cloud environment is paramount. In some cases, this is best achieved through a private cloud. At a rate of 73 percent of all investigated breaches at SecurityMetrics, noncompliance with PCI requirement 10 “Implement Logging and Log Monitoring” was the issue most frequently associated with a data breach. A PCI DSS compliant private cloud solution could fix this problem.

Other benefits of having a cloud service provider is using their compliance experts. Your cloud provider should have designated PCI compliance experts who are responsible for maintaining PCI DSS standards, as well as any other compliance regulations that impact your industry or that of your clients.

It is important to ensure that your cloud provider’s services have been validated against the PCI DSS to provide you with the confidence to meet your compliance needs.

2. Select the Most Secure Cloud Platform

For highly regulated industries like the financial sector, a public cloud service can have numerous problems. Security and resource allocation are the top two issues that LightEdge has noticed most customers commonly encounter. With a public cloud solution, customers do not have control over who is managing firewalls, or who is managing the resources that critical infrastructure is stored on. This can be a major compliance concern.

Thankfully, private cloud hosting is geared more towards security and control. Many regulated industries like healthcare and manufacturing are moving towards private cloud options. A study by IDC projects that sales from private-cloud investment hit $4.6 billion in the second quarter of 2018 alone, which is a 28.2 percent increase from the same period in 2017.

NIST says that private cloud has some unique characteristics that set it apart from the rest: “The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”

LightEdge offers two different types of cloud services, include:

• Virtual Private Cloud powered by VMware: takes advantage of the cost-effective multi-tenant model for infrastructure and virtualization, while maintaining business-critical performance and top security. Our VPC is redundant by default, and can be provisioned by you or LightEdge’s experienced engineers.
• Dedicated Private Cloud powered by VMware: offers a single-tenant environment with the highest level of performance, control and security at a predictable monthly price. DPC provides physically discrete and highly available compute, storage and network resources uniquely configured to your unique requirements. You retain full control of your server while gaining the flexibility of virtualization, ideal for mission-critical applications and compliance standards.

3. Secure the Network

Network Security is the process of creating a defensive approach to secure your data and resources over the computer network infrastructure. For proper protection, your organization must configure the network as correctly as possible. From there, keep on constant alert to identify when the configuration has changed or there is an indicated problem. Finally, act to rectify the problem quickly and return to a safe state.

Every environment has vulnerabilities. Claiming ignorance is no excuse anymore. Pretending you have nothing of value or there is no reason to target your business is a flawed perspective. If you are connected to the internet, you are already a target. Network security is the cornerstone of your larger security infrastructure.

According to Ponemon Institutes’ 2018 Cost of a Data Breach Study sponsored by IBM Security, the average total cost of data breach increased by 6.4 percent and the per capita cost increased by 4.8 percent globally. The average size of a data breach (number of records lost or stolen) also increased by 2.2 percent. Learn more about how network security should be the cornerstone in your security infrastructure.

4. Leverage Cloud Service Provider Support and Expertise

It is more difficult than ever to meet the complex demands of compliance and security – especially with evolving threats, vague regulatory guidance, and limited resources. Your compliant cloud provider should be able to take the guesswork out of protecting your payment data.

If you have done due diligence on vetting a compliant cloud service provider, you will have thought about the level of support your organization requires. A good support team can be an ally during any cloud migration project. The expert cloud support staff should be able to promptly answer technical questions or help with any issues you may be experiencing.

LightEdge’s security professional services simplify the process of improving your security posture, by helping you:

• Make sense of security and compliance frameworks that apply to your business or industry
• Identify business risks, considering the role of your hosting service provider
• Determine which security controls are required to mitigate your identified risks
• Improve collaboration and communication during security event mitigation and incident response between your business and LightEdge
• Establish the necessary framework to maintain and continually improve your information security program over time based on evolving scope and emerging risks
• Document and track efforts for evidence collection and audit preparation

Meet your Next Compliant Cloud Service Provider Today

Security and compliance not only protect businesses from excessive regulatory fines, it also protects their critical data from threats and breaches. From a dedicated physical infrastructure to a virtual delivery model, we’ve got the compliant cloud and hosting solution for your organization. Retain the level of control you want, and the amount of data isolation you require.

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.

LightEdge builds security and redundancy into every detail of our data center facilities and compliant service offerings, and our engineers have the know-how to advise you on meeting your compliance requirements, regardless of industry standard.

LightEdge also offers a free risk assessment from our security team as a free resource to all of our clients. Based on findings from the risk assessment, our experts recommend the appropriate security controls you’ll need to protect sensitive data and pass audits. We assist in gathering the evidence and documentation you need to prove you’re in compliance; we even provide support during third-party audits. LightEdge is compliant with:

• ISO 27001
• ISO 20000-1
• SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
• HIPAA/HITRUST
• PCI DSS 3.2

If you are interested in meeting with our compliance and security experts or touring of any of our seven world-class data centers, contact us here. We have compliant cloud experts standing by to answer your questions. Start by getting a free quote today.

Related Posts:

• 6 Best Practices for Data Security in the Cloud Infographic
• Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
• The Best of Both Worlds: Colocation and PCI DSS Compliance
• Ultimate Guide to a Highly Compliant Cloud Environment
• Cost of Ownership: Public vs Private Cloud Showdown
• Why Virtual Private Cloud Will Make You Reconsider Your Cloud Infrastructure
• What Every Business Needs to Know About Dedicated Private Cloud