January 4, 2022

How to Meet PCI Compliance in Public Cloud

PCI isn't law, but you can't afford to ignore it if you store payment data. Here's what you need to know about meeting PCI Compliance.

Image Source: Apichon_tee

PCI isn't law, but you can't afford to ignore it if you store payment data. Accept credit cards? You need this How To. 

According to the 2021 Flexera State of the Cloud report, 75 percent of enterprise organizations list cloud compliance as a top challenge. With nearly every industry required to adhere to some form of regulation, it’s no surprise that meeting compliance is such a priority. In our last blog post, we outlined some challenges and suggestions on achieving HIPAA compliance in the cloud. We’ll continue that trend today by reviewing PCI compliance, especially in the public cloud.

Quick Recap: What is PCI?

The Payment Card Industry Data Security Standard, or PCI DSS (PCI for short) is a set of requirements created and enforced by the PCI Security Standards Council to ensure and enforce the security of credit card transactions. Anyone who accepts credit cards as a viable payment method must protect transaction information or risk fines from breach of compliance. This includes vendors and third-party administrators that provide payment systems to merchants. The latest version of PCI is PCI-DSS 3.2.1, released in May of 2018.

It’s important to remember that unlike HIPAA, PCI is not a federal law. That said, PCI is enforced in part by the Federal Trade Commission, which protects consumers from unfair, fraudulent or deceptive practices in the marketplace. The Security Standards Council also enforces PCI.

Meeting PCI Compliance

There are 12 required standards, 78 base requirements, and about 400 test procedures that comprise PCI regulations. (Easy peasy, huh?) Organizations must meet all requirements and have an Attestation of Compliance to be considered PCI compliant. The requirements address everything from creating and maintaining an information security policy, firewall configurations, data encryption, and correcting SSL/Early TLS vulnerabilities for payment system connections.

PCI Compliance in Public Cloud

If you’re planning to use (or already use) a public cloud provider like Amazon, Google or Microsoft to process and store your financial data (plenty of companies do, like Capital One, or TD Bank Group), you’ll need to carefully consider how to architect your environment to meet compliance. Thankfully, PCI outlines very specific technologies and practices organizations must follow. So it’s a matter of following directions. (Other compliance standards, like HIPAA, are more vague and leave it up to the organization to implement how they see fit.)

Unlike a traditional MSP that can offer support and guidance to properly architect your software, applications, and networking (sometimes even taking on some of those responsibilities for you), public cloud support is more bare bones – you’re pretty much left to your own devices (excuse the pun), unless you can shell out thousands of dollars.

As with any compliance supported in the public cloud, PCI is a shared responsibility. That means that your provider (AWS, Azure, or Google, for example) is responsible for certain levels of the environment stack, and you are responsible for certain levels. The providers clearly outline exactly what they are responsible for and what you are responsible for. Still, it’s best practice to run your own audits and check with outside compliance experts to ensure you’re really doing everything correctly on your end.

You don’t want to be caught unaware when it’s time to audit your environment(s), so investing in outside resources to help is a must. If your cloud environment is managed by a hosting provider, ask what they’re doing on their end to ensure PCI compliance. A third-party tool such as Tenacity can scan your environment and identify vulnerabilities that could negatively affect your chances of receiving an Attestation of Compliance. Fixing these vulnerabilities and gaps before your audit can help ensure smooth sailing when it comes time for your scans. (To paraphrase an old axiom, “An ounce of Tenacity PCI compliance is worth a – well, you know.)

What Have We Learned?

PCI DSS is a compliance standard that outlines specific technological guidelines to protect sensitive financial data used by banking and/or financial vendors. Organizations that want to use cloud computing (especially public cloud) for their financial applications can certainly do so and still meet PCI standards.

Just remember, using a public cloud provider who offers PCI-compliant infrastructure doesn’t automatically make you or your applications compliant. You’ll need to ensure your data, networking, ingress/egress transfers, and OS layers are all meeting PCI standards. Using a third-party tool such as Tenacity can help provide an extra pair of (virtual) eyes and ears on your environment to ensure you’re confidently meeting compliance before you begin an audit.

Fortunately, you’ve got a friend in the cloud compliance business. Check out TenacityCloud.com to learn more.

Latest articles

Browse all