Across all the industries that must maintain compliance with data privacy regulations, a common complaint is the tendency of regulations (and regulators) to lag behind new technological developments. HIPAA and PCI DSS have been called out as being problematically vague, particularly when it comes to the cloud.
If you ask most folks in business IT to finish the sentence “PCI compliance is _____”, the single most unironic and demonstrative answer you’d probably get would be “hard.”
– “Where PCI Compliance Fails…”, InfoWorld
But it doesn’t have to be hard. The newest version of PCI DSS, PCI DSS 3.0, adds some clarifications that may make PCI cloud security and compliance requirements clearer and more accessible — if you know where to look. Here are some highlights.
Encryption key management looks to play a stronger role in PCI cloud security. Changes to Requirement 3.5 “clarified that key management procedures have to be both implemented and documented,” according to the official summary of changes in PCI DSS 3.0. Organizations must “restrict access to cryptographic keys to the fewest number of custodians necessary” (Requirement 3.5.1) and “store cryptographic keys in the fewest possible locations” (Requirement 3.5.3). This sharpened focus on the security of the keys themselves validates CipherCloud’s approach to encryption key storage. CipherCloud customers keep exclusive access to their encryption keys so that they can maintain full control over the encryption and decryption of their cardholder data.
Alongside encryption key access control, PAN and cardholder data access control will also play a stronger role in PCI cloud security, thanks to PCI DSS 3.0. 7.1 advises that “the more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously.” To address that, the new Requirement 7.1.1 specifies that organizations define system component and data resource access needs based on job function. 7.1.1 also mandates the definition of privilege levels. 7.1.2, meanwhile, states that companies should “restrict access to privileged user IDs to least number of privileges necessary to perform job responsibilities.” This is another validation of CipherCloud’s approach, which enables granular control over users’ access and privileges.
The additions and clarifications to PCI DSS 3.0 will help organizations maximize their PCI cloud security and compliance—if organizations can implement compliance measures effectively. To assist in that, PCI DSS 3.0 includes a new section, “Implementing PCI DSS into Business-as-Usual Processes.” Among the guidance included in this section, one of the most important pieces of advice is PCI DSS’s recommendation that businesses implement ongoing monitoring of security controls like antivirus and access limits to “ensure they are operating effectively and as intended.” As we’ve discussed in this space before, visibility and continuous monitoring of user and data activity in the cloud are critical to maintaining compliance. That’s why CipherCloud offers granular, real-time visibility and reporting tools. You can’t control what you aren’t aware of.
PCI DSS 3.0 brings PCI cloud security into sharper focus and provides clearer guidance than ever before to companies that must protect PAN and cardholder data while using the cloud. What other PCI DSS changes do you think will affect cloud users in the years to come? Tell us your thoughts in the comments.