presentation pci-dss compliance on the cloud
Post on 20-Jun-2015
159 Views
Preview:
TRANSCRIPT
PCI-DSS COMPLIANCE ON THE CLOUD
HOW TO OUTSOURCE PAYMENT DATA STORAGE ON THE CLOUD :
E-COMMERCE & M-COMMERCE
By Mr EL ALLOUSSI@halloussi
Dubai, December 2013
Summary
1. Cloud Computing : Definitions2. e-commerce/m-commerce: An
overview3. The Payment Card Industry Data
Security Standard (PCI DSS)4. PCI DSS on Cloud: New challenges
Cloud Computing : Definitions
Definition of Cloud Computing (NIST)
A service which: Maintains a pool of hardware resources to maximize service, minimize cost Resource efficiency permits hardware refresh, migration of customer workloads
5 Essential Cloud Characteristics
1. On-demand self-service 2. Broad network access3. Resource pooling
(Location independence)4. Rapid elasticity5. Measured service
3 Cloud Service Models
1. Cloud Software as a Service (SaaS) Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and
other fundamental computing resources
4 Cloud Deployment Models
Private cloud Enterprise owned or leased
Community cloudShared infrastructure for specific community
Public cloudSold to the public, mega-scale infrastructure
Hybrid cloudComposition of two or more clouds
e-commerce/m-commerce: An overview
Definition of e-commerce/m-commerce
E-commerce or electronic commerce is the buying and selling of products or services via the web, Internet or other computer networks. M-commerce or mobile commerce is the buying of products or services via a device like Smartphone, PDA…etc.
Type of e-Commerce
Business to Consumer (B2C): this is where the seller is a business organization and the buyer is a consumer.
Business to Business (B2B): this is where the seller and the buyer are both a business organization.
Consumer to Consumer (C2C): this is where the seller is a consumer and the buyer is a consumer.
Consumer to Business (C2B): this is where the consumer can name a price they are willing to pay for a requirement and business organizations can decide whether to meet the requirement for the price. As this is consumer driven and not seller driven this becomes a C2B model.
Card payment: The stakeholders
Card holder: a person holding a payment card (the consumer in B2C).
Merchant: the business organization selling the goods and services (The merchant sets up a contract known as a merchant account with an acquirer).
Service provider: this could be the merchant itself (Merchant service provider (MSP)) or an independent sales organization providing some or all of the payment services for the merchant.
Acquirer or acquiring bank: this connects to a card brand network for payment processing and also has a contract for payment services with a merchant.
Issuing bank: this entity issues the payment cards to the payment card holders.
Card brand: this is a payment system (called association network) with its own processors and acquirers (such as Visa, MasterCard or CMI card in Morocco).
The Payment Card Industry Data Security Standard (PCI DSS)
Why is PCI Here?
Criminals need money
Credit cards = MONEY
Where are the most cards?
In computers.
Data theft grows and
reaches HUGE
volume.
Some organizations
still don’t care…
especially if the loss is not
theirs
PAYMENT CARD
BRANDS ENFORCE
DSS!
PCI DSS requirements
Activities Describing the RequirementsBuild and maintain a secure network.
1. Install and maintain a firewall configuration to protect data; this includes firewall on client.2. Do not use vendor supplied defaults for system passwords and other security parameters.
Protect cardholder data.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data and sensitive information across open public networks.
Maintain a vulnerability management program.
5. Use and regularly update antivirus software.6. Develop and maintain secure systems and applications.
Implement strong access control measures.
7. Restrict access to data by business on a needto-know basis.8. Assign a unique ID to each person with computer access.9. Restrict access to cardholder data.
Regularly monitor and test networks.
10. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.
Maintain an Information security policy.
12. Maintain a policy that addresses information security.
EXAMPLE
EXAMPLE
PCI DSS on Cloud: New challenges
PCI DSS Cloud Computing Guidelines (2013)
The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including: The purpose for which the client is using the cloud service The scope of PCI DSS requirements that the client is
outsourcing to the CSP The services and system components that the CSP has
validated within its own operations The service option that the client has selected to engage the
CSP (IaaS, PaaS or SaaS) The scope of any additional services the CSP is providing to
proactively manage the client’s compliance (for example, additional managed security services)
PCI DSS Cloud Computing Guidelines (2013)
Define Responsibilities such as in the following example:
PCI DSS Cloud Computing Guidelines (2013)
Define Responsibilities such as in the following example:
CSA Cloud Controls Matrix
Controls derived from guidance
Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA
Rated as applicable to SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditorshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
CSA Cloud Controls Matrix The Cloud Security Alliance Cloud Controls Matrix
(CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as:
ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum NERC CIP
CSA Cloud Controls Matrix
Cloud Controls Matrix domains include: Compliance Data Governance Facility Security Human Resource Security Information Security Legal Operations Management Risk Management Release Management Resiliency Security Architecture
Example: Requirement 12.8
Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
….…………………. however ………………………
23
Example: Requirement 12.8
“If the merchant shares cardholder data with a … service provider, the merchant must ensure that
there is an agreement with that …service provider that includes their acknowledgement
that the third party processor/service provider is responsible for the security of
the cardholder data it possesses.
In lieu of a direct agreement, the merchant must obtain evidence of the … provider's
compliance with PCI DSS via other means, such as via a letter of attestation.”
24
Example: Amazon/ Requirement 9Q: “Do QSAs for Level 1 merchants
require a physical walkthrough of a service provider’s data center?
A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”
25
PCI SSC on Cloud Challenges
“The distributed architectures of cloud environments add layers of technology and complexity to the environment.
Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet.
The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid.
The hosted entity has limited or no visibility into the underlying infrastructure and related security controls.
The hosted entity has limited or no oversight or control over cardholder data storage.
The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment”
26
Questions?
THANK YOU@halloussi
fr.slideshare.net/alloussi
top related