Table of Contents
The IT industry is driven by regulations and laws which govern how data will be stored and transmitted securely. There are some specific industries or companies dealing in specific data sets related to transactions of cardholder’s data , payments processing, storage, and transmission. These companies need to follow a set of rules and standards established by the PCI-DSS standard introduced by Visa, Mastercard, American Express, JCB International, Discover Financial services in 2004.
Today we look more in detail about PCI DSS (Payment Card industry Data Security Standard), its controls compliance in the era of cloud computing, benefits etc.
About PCI DSS 4.0
The standard was introduced in 2004 and its revised version was released at the end of March 2022. It provides merchant organizations two years for transition and make required changes to their payment security processes and comply with requirements of the updated standard. PCI-DSS 4.0 evolved to cater to the changing needs of the Digital payment industry, era of Covid pandemic and remote working , evolving cyber threats which demand more stringent controls around the card industry in the era of cloud computing where physical boundaries have rapidly diminished.
The core requirements of PCI-DSS 4.0 remain unchanged but in the era of cloud computing three major changes have been introduced in revised standard – customized implementation of standard for (Level 1) merchants, Multi Factor authentication mandate and ongoing security testing. The requirement for encryption of cardholder data is extended to trusted networks and public networks both.
Main Changes in the Perspective of Compliance on Cloud
Ongoing testing – Cyber security threats are on rise and are constantly getting more and more sophisticated and the data card environment which was compliant during annual audit may become vulnerable to a new type of attack. PCI DSS 4.0 requires Qualified Security Assessors (QSA’s) testing of merchant environments , infrastructure, and processes for extended periods instead of just relying on annual audits which only give point in time compliance status of security compliance.
Just passwords are not enough – Vulnerabilities related to passwords required to be well documented. PCI DSS 4.0 requires that all access to the card data environment must be protected with multi factor authentication (MFA). Passwords to access payment and control processes also increased in length and made strong by using 12 character and complex in nature with a combination of letters, numbers, and special characters
Level 1 merchants – increased flexibility – PCI DSS 4.0 allows level 1 merchants to establish their own security access controls and data security controls to comply with core intent of PCI DSS standard which is protection of cardholder data. Enterprises can flexibly adopt new technologies and advanced security solutions to align to operational security requirements and businesses and also maintain pace with new customer payment methods emerging in cloud environments and emergence of cyber threats targeting payment ecosystems.
The customized approach of PCI DSS is documented with QSA. Level 2 and 4 companies handling less than 6 million payment transactions annually require to conduct a self-assessment questionnaire (SAQ) and are not eligible for using a custom approach. Level 2 merchants processing between 1 million to 6 million transactions annually are also required to report compliance (RoC).
Custom security – The major change with the PCI DSS 4.0 updated version is moving from a tick box approach to focus on the outcome of custom controls which are implemented. Subjective assessment of compliance by QSA ensures it meets the intent of compliance requirements. A QSA needs to provide an assessment on whether training provided to employees delivers the security awareness to enable organization to protect cardholder data from phishing attacks and other forms of social engineering attacks.
Are you Ready? Compliance in Cloud
Public cloud service providers are making significant investments to secure environments and maintain advanced technologies deployment, new revision of standard allows adoption of cloud based hosting and new set of requirements are introduced in PCI DSS to secure cardholder data and secure cloud workloads.
In PCI DSS 4.0 the scope of requirements applies to the card data environment (CDE) comprising system components and personnel and processes involved in transmission, processing and storing cardholder data or data which is authenticated.
System components include network devices, servers, virtual machines, computing devices, cloud components, and software’s, all virtual components comprising switches, routers, Servers, storage, hypervisors, applications/ desktops. Cloud infrastructure and its components internal and external to organization including containers and image, virtual private cloud, cloud based IAM , CDEs which are residing on premises or on cloud, services meshing with containerized applications and orchestration tools in cloud.
Segmentation and configurations related to access controls required by card merchants on cloud hosted environments states in a multi-tenancy architecture customer can only access their environment only and CDE for prevention of unauthorized access to other customer environments.
QSA’s need to meet during audit their configurations are set up to ensure each merchant organization has access only to its own cloud based CDE and cardholder data and they can’t access other organizations cloud based card data and environments.
Cloud based services became the central focus of all our lives during the covid era, and people worked remotely from their homes as they moved out of the trusted network boundary. Consumer concerns are on rise related to card data security however adding layers of security can slow down transactions and impact performance which frustrates customers.
PCI-DSS current version (3.2.1) is set to retire in the first quarter of the year 2024 which means the clock is ticking for card holders’ data merchants to focus on required organizational changes necessary to achieve compliance to the updated standard.