PCI SSC and CSA push for businesses to properly scope cloud environments
In order to highlight the importance of properly scoping cloud environments, PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) have come together to release a joint bulletin.
According to the pair, the use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. Along with this increased use has come increased concern about security.
At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems.
When utilising cloud security for payments, this responsibility is typically shared between the cloud customer and the cloud service provider.
Data breach investigation reports continue to find that organisations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems.
According to PCI SSC and CSA, poper scoping should be a critical and ongoing activity for organisations to ensure they are aware of where their payment data is located and that the necessary security controls are in place to protect that data.
Improper scoping can result in vulnerabilities being unidentified and unaddressed, which criminals can exploit. Knowing exactly where payment data is located within systems will empower organisations to develop a game plan to protect that data, the companies state.
According to the bulletin, organisations that outsource payment services to CSPs often rely on the CSP to securely store, process, or transmit cardholder data on their behalf, or to manage components of the entity’s payment data environment.
CSPs can become an integral part of the organisation's payment data environment and directly impact the security of that environment.
For too many organisations, bringing in a third party CSP for payment security services is seen as the only step necessary to securing payment data.
Furthermore, the use of a CSP for payment security related services does not relieve an organisation of ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure.
As such, PCI SSC and CSA state that clear policies and procedures should be established between the organisation and its CSP for all applicable security requirements, and measures developed to manage and report on security requirements.
Limiting exposure to payment data reduces the chance of being a target for criminals.
According to the bulletin, some important best practices areas of focus should be:
Data protection: Assure that information is protected by maximising use of strong cryptography and key management practices, tokenisation, and masking where feasible and employing robust data loss prevention solutions.
Authentication: Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers.
Systems management: Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management.
DevOps and DevSecOps: Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
Data governance: With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs.
Resiliency: Assure that service providers take advantage of clouds nearly unlimited capabilities to provide redundancy for application availability and data backups.