For retailers and financial institutions, safeguarding payment card data in accordance with PCI DSS 3.0 (Payment Card Industry Data Security Standard) can be daunting. Yet data privacy and security is the leading cloud adoption concern. In our recent webinar, Safeguarding PCI Data in the Cloud, HOSTING teamed with partner Vormetric to discuss how organizations can proactively address PCI compliance in the cloud, protect intellectual property and comply with data privacy and system integrity regulations. Missed it? Following are some highlights. You can also view the webinar on-demand.
Top Cloud Security Concerns
Changing compliance regulations, combined with a rash of cyberattacks and data breaches have organizations rethinking their cloud adoption plans. According to a recent study by 451 Research, the top security concerns with cloud computing include the following:
- Data Privacy and Security – 41%
- Access and Control – 35%
- Auditing and Compliance – 32%
- Control of Data – 26%
- Security Models/Toolsets – 18%
In order for organizations to have the confidence to migrate to the cloud, experienced managed cloud service providers must establish trust and controls that meet their security needs.
New data security requirements in PCI DSS 3.0
PCI DSS mandates that companies take appropriate steps to safeguard sensitive cardholder payment information. Of the 248 requirements that comprise PCI compliance, there are three requirements that organizations need to pay particular attention.
PCI DSS Requirement 3 – Protect stored cardholder data
In PCI DSS 3.0, organizations must address the following:
Restrict key access
While there are many technologies that can encrypt data, organizations need to have elements in place to store and secure the encryption keys.
Improve key management processes
Organizations need to have a process for handling the keys.
Strengthen key access controls with split knowledge
You don’t want the same person with database access to have key access as well. That access needs to be “split” among different people so that data remains protected, even if someone’s credentials are compromised.
Clarify the intent of “unrecoverable data”
Organizations must provide clarity around what data is recoverable, even after a record is deleted. Can it still be brought back in its original form? Or can it be digitally “shredded?”
PCI DSS Requirement 7 – Restrict access to cardholder data by business need to know
PCI DSS 3.0 requires the following:
New sub-controls to cover access needs for each user role
Organizations are required to restrict access to production data. No one really needs to access credit card information.
Additional focus restrictions of privileged users to least privileges necessary
This helps prevent malware and APTs from elevating access privileges to the root user.
PCI DSS Requirement 10 – Track and monitor all access to network resources and cardholder data
PCI DSS 3.0 requires:
- Clear definitions of controls
- New sub-controls to block administration impersonating accounts
- Prevent the stopping and starting of audit logs – this prevents hackers from stopping an audit log to engage in malicious activities, then restarting it afterwards
Safeguarding PCI data through HOSTING PCI compliant hosting solutions
HOSTING PCI compliant hosting solutions help organizations keep pace with evolving data security and compliance mandates. A key component is the HOSTING Data Security Solution. It enables organizations to meet HIPAA/HITECH, PCI DSS, GBLA and SOX compliance requirements through the following security and reporting features.
- Systematic controls that prohibit unauthorized internal and external users from accessing sensitive data
- Capabilities for encrypting data, controlling access, and creating granular security intelligence logs
- Protection of databases, files, and big data across the entire organization
- Security intelligence logs that can accelerate detection of advance persistent threats (APTs) and insider threats by offering visibility into file access or attempts to access protected data
The HOSTING Data Security Solution is available in a multi-tenant environment, completely managed by the HOSTING Compliance Team or in a dedicated environment that can be solely managed by the customer or HOSTING managed through Professional Services.
Safeguarding PCI data is an ongoing challenge for many organizations. HOSTING can help. View the on-demand webinar to learn more about our PCI compliant hosting solutions. And contact the HOSTING certified information security and compliance team anytime to discuss your specific needs.