Author: Tony Mosley

Categories
Compliance

Check The Expiration Date

The Payment Card Industry (PCI) Security Standards Council (SSC) develops standards and resources that help protect the people, processes, and technologies across the payment ecosystem to help secure payment transactions worldwide.  The PCI SSC is led by a policy-setting Executive Committee composed of representatives from the Founding Members and Strategic Members which includes American Express, Discover Financial Services, JCB International, Mastercard, UnionPay, and Visa Inc.

The PCI Data Security Standard (DSS) is a global standard that was established to protect payment account data. The PCI DSS is comprised of twelve technical and operational requirements that are spread across six different goals.

If an entity stores, processes, or transmits the payment card Primary Account Number (PAN), then a Cardholder Data Environment (CDE) exists to which PCI DSS requirements will apply.

The current version of the PCI DSS is 4.0.  This version was officially released in 2022 with a transition period of two years.  The previous version, 3.2.1, expires on 3/31/2024.  Some requirements in v4.0 are considered best practices until 3/31/2025, after which they will be required and must be fully considered during a PCI DSS assessment.

Some of the changes incorporated into Version 4.0 of the PCI DSS include:

  • Continue to meet the security needs of the payment industry.
  • Promote security as a continuous process.
  • Increase flexibility for organizations using different methods to achieve security objectives.
  • Enhance validation methods and procedures.

For a comprehensive view of changes in the new version as well as other standards and supporting documentation, please refer to the PCI SSC Document Library

Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after the standard is retired on 3/31/2024, should be directed to the organizations that manage the compliance program, such as payment brands and acquirers.

Categories
Cloud Computing

Cloud Computing and Security

Cloud Computing

The National Institute of Standards and Technology (NIST) describes cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

Cloud Service Providers (CSP) offer three types of services:

  • Software-as-a-Service (SaaS)
    • This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser. The cloud provider is responsible for nearly all security since the cloud user can only access and manage their use of the application and can’t alter how the application works.
  • Platform-as-a-Service (PaaS)
    • This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications. The cloud provider is responsible for the security of the platform, while the user is responsible for everything they implement on the platform, including how they configure any offered security features.
  • Infrastructure-as-a-Service (IaaS)
    • The most basic category of Cloud computing services is Infrastructure-as-a-Service. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.  The provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure.  Unlike PaaS, this places far more responsibility on the user.

Organizations have taken advantage of the benefits of cloud computing which include reduced capital expenses, high availability, agility, resiliency, and redundancy.

Cloud Security

When moving services and data to the Cloud, an organization must understand its security and compliance requirements as there is a shared security responsibility model between the organization and the Cloud Service Provider as described above.  The user is responsible for security IN the cloud and the provider is responsible for security OF the cloud.  Depending on the Cloud service that is being utilized, the security responsibility of the user includes patching operating systems as well as the applications.  This is the case in the Infrastructure-as-a-Service offering.  If the user moves to a Platform-as-a-Service offering they are no longer responsible for the Operating System maintenance and the patching of the Operating System. 

Figure 1 graphically depicts the boundaries and ownership of security responsibilities.  Regardless of the services utilized, the user is always responsible for their data security.

Moving to the Cloud?

Is your organization looking to move to the Cloud?  Are you evaluating providers to find out what service will work best for your requirements?  If so, there are a few questions that should be clarified to make an informed decision before committing to a move.

  • What does the Cloud Service Provider offer for Identity and Access Management?
    • This includes identification, authentication, and authorizations (including access management).
    • This is how you determine who can do what within your cloud platform or provider.
  • What security standards are supported by the Cloud Service Provider?
    • Payment Card Industry Data Security Standard (PCI DSS)
    • General Data Protection Regulation (GDPR)
    • Health Insurance Portability and Accountability Act (HIPAA/HITECH)
    • National Institute for Standards and Technology (NIST) SP 800-171
  • Where will your data be located?
    • Some regulatory requirements may dictate where the data is stored and processed
  • What type of automation is offered by the Cloud Service Provider?
    • Automation aids in reducing human configuration errors
  • Do you always “own” your data?
    • Can you encrypt, move, or destroy data at your discretion?
  • How does the Cloud Service Provider handle these five parts of the cybersecurity lifecycle?
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

Your Data/Your Responsibility

Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services.  It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.

Cyber Liability insurance is on the rise and there is an expectation that there are measurable efforts devoted to keeping information secure.  Breaches can cause serious damage to your organization not only financially but from a reputation standpoint as well.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.  

If you are interested in a complimentary strategy session, contact us here.

References:

Cloud Security Alliance – Security Guidance for Critical Areas of focus in Cloud Computing