5 Cloud Security Recommendations For Toughened PCI Guidelines

PCI DSS

UK businesses are increasingly flocking to cloud services to reap cost savings and greater IT agility. According to the Cloud Industry Forum, over 75 per cent of UK businesses will be using at least one cloud service by the end of 2013.

But, many organisations still aren’t clear on their responsibilities for protecting their data in the cloud. Cloud users commonly assume that, by working with a third party provider, the compliance requirements would either be satisfied or that responsibility would shift to the shoulders of the cloud provider.

As a result, the PCI Security Standards Council earlier this year released clarifications and clear steps to guide payment processors through their cloud adoption journey. It confirmed that cloud customers cannot shift responsibility to their cloud providers.

The revised cloud computing guidelines are for any organisation that stores, processes or transmits cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. Its guidance recommends shared responsibility between the cloud provider and cloud customer to ensure that cardholder data is protected and PCI-DSS compliant.

While it advocates shared responsibility, the document outlines new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also states that users need to understand and have a level of visibility into their cloud provider’s security capabilities. For example: did you know that, regardless of the security measures in the cloud provider’s arsenal, you are still responsible for ensuring your cardholder data is secure?

Compliance Guidance

The new guidelines mean cloud customers must reconsider their information protection model in order to minimise PCI risks. If your business sells online, the following best practices can help you protect your cardholder information and ensure that you comply with the 2013 PCI cloud security guidelines.

1. Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by encrypting sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.

2. Customers Retain Encryption Key Control: Encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches where the cloud provider retains control over the keys that can decrypt cardholder information. So, even if a cloud provider is compromised, your payment information remains secure.

3. Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.

4. Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, you may be unaware which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, you can be assured that no information will be shared, even with law enforcement, without your direct involvement.

5. Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the encryption keys, the data owner controls access to decrypting the information. No one at the cloud provider can access the information.

Security experts will agree that cyber crime will follow wherever valuable data moves to – whether on-premise or in the cloud. With new PCI and other regulatory mandates in 2013 placing security and compliance responsibility on cloud users, any business that stores or processes data in the cloud could face serious repercussions for failing to meet these tougher compliance standards.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Paige Leidig

Paige Leidig has 20 years of experience in technology, marketing, and selling enterprise application solutions and managing trusted customer relationships. As SVP of Marketing, he is responsible for all aspects of marketing at CipherCloud. Paige was previously in the Office of the CEO at SAP, where he was responsible for leading and coordinating SAP’s acquisition and integration activities on a global basis. He has managed a number of marketing initiatives at SAP, including responsibility for all go-to-market activities for SAP’s Cloud applications portfolio. Preceding his SAP career, Paige held senior management positions with Ariba, Elance, and E*Trade.

  • Les

    Encryption is a system which protects the
    “Hacker”. “If one is able to encrypt data
    without content inspection by a DLP system using AccuMatch TM technology,
    then Administrators will never be able to find out what was sent out in such
    emails or files and take the appropriate enforcement action. ” cited from GTB Technologies site.