Sector specific data protection and security requirements exist in many countries. For example, in Retail, Payment Card Industry Data Security Standard (PCI DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information. PerspecSys’ Cloud Data Protection Gateway is used by leading organizations to achieve PCI DSS compliance while moving to the cloud.
PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
All merchants that accept payment cards are required to be compliant with PCI DSS. The PCI DSS requirements (available at https://www.pcisecuritystandards.org/) consist of common sense steps that mirror security best practices.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Steps 3 & 4 of the PCI DSS Requirements specify that cardholder data, including Primary Account Number (PAN), cardholder name, and expiration date need to be protected when it is being stored (data “at rest”) or during transmission across public networks (data “in flight”). When cardholder data is stored and processed in the cloud, companies need to ensure they are taking the proper steps to maintain compliance, which can be an extremely complex task.
Adding to the complexity of PCI cloud compliance is the fact that the latest version of PCI DSS does not provide detailed guidance on the concept of virtualization, in which the notions of multi-tenancy and shared responsibility are introduced. PerspecSys’ Cloud Data Protection Gateway is designed to help enterprises in this situation. Since the gateway enables companies to keep their sensitive cardholder information on-premise, they do not need to be concerned about the additional PCI compliance exposure that is introduced by the cloud. This is because the card-related information that is stored and processed in the cloud is either encrypted or tokenized and therefore is undecipherable and unusable if it is ever breached.
“Aberdeen’s research shows that by selecting and implementing security solutions that augment the current capabilities of the cloud solution providers, but remain under enterprise control, companies spend one-third less annually on a per-application basis — driven in part by better security and in part by more consistent and efficient operations. These findings align with the PerspecSys solution, which is designed to give enterprises an innovative new option for security by keeping their data out of the cloud and enabling them to control it within their own environment.”- Derek Brink ,
“If the encryption vendor offers options for ‘function preserving encryption’ – for example, to preserve sort – regulations may require the use of standardized and approved algorithms or proof of independent certification for the potentially weakened encryption.”- Analyst ,
1750 Tysons Blvd, Suite 1500
McLean, VA 22102
+1 (703) 712-4752
71 Stevenson St, Suite 400
San Francisco, CA 94105
+1 (415) 655-6733
68 Lombard Street
London, EC3V 9LJ
+44 (207) 868-2037
86 Healey Road
Bolton, ON L7E 5A7
+1 (905) 857-0411