Sector specific data protection and security requirements exist in many countries. For example, in Retail, Payment Card Industry Data Security Standard (PCI DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information. Perspecsys’ Cloud Data Protection Gateway is used by leading organizations to achieve PCI DSS compliance while moving to the cloud.
PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
All merchants that accept payment cards are required to be compliant with PCI DSS. The PCI DSS requirements (available at https://www.pcisecuritystandards.org/) consist of common sense steps that mirror security best practices.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Steps 3 & 4 of the PCI DSS Requirements specify that cardholder data, including Primary Account Number (PAN), cardholder name, and expiration date need to be protected when it is being stored (data “at rest”) or during transmission across public networks (data “in flight”). When cardholder data is stored and processed in the cloud, companies need to ensure they are taking the proper steps to maintain compliance, which can be an extremely complex task.
Adding to the complexity of PCI cloud compliance is the fact that the latest version of PCI DSS does not provide detailed guidance on the concept of virtualization, in which the notions of multi-tenancy and shared responsibility are introduced. Perspecsys’ Cloud Data Protection Gateway is designed to help enterprises in this situation. Since the gateway enables companies to keep their sensitive cardholder information on-premise, they do not need to be concerned about the additional PCI compliance exposure that is introduced by the cloud. This is because the card-related information that is stored and processed in the cloud is either encrypted or tokenized and therefore is undecipherable and unusable if it is ever breached.
“Based on the Segregation of Duties security principle, key management should be separated from the cloud provider hosting the data. This provides the greatest protection both against external breach of the service provider as well as an attack originating from a privileged user/employee of the provider.”- Guidance ,
Perspecsys’ cloud solution advances the essential principles of Privacy by Design by enabling enterprises to automatically encrypt (decrypt) data locally and on-the-fly when using third-party cloud service applications.- Ann Cavoukian PH.D. ,
1750 Tysons Blvd, Suite 1500
Tysons Corner, VA 22102
+1 (703) 712-4752
71 Stevenson St, Suite 400
San Francisco, CA 94105
+1 (415) 655-6733
68 Lombard Street
London, EC3V 9LJ
+44 (207) 868-2037
5110 Creekbank Road
Mississauga, ON L4W 0A1
+1 (905) 282-0023