PCI DSS Compliance Assurance for Cloud Databases

Apr 22, 2021 / by SecureCloudDB

An overview of how SecureCloudDB provides PCI DSS compliance assurance for Cloud Databases and helps protect against breaches and theft of cardholder data.

Entities involved in payment card processing collect, transmit and store significant amounts of valuable information such as cardholder names, primary account numbers, authentication data and card expiration dates. This information is valuable to cybercriminals who buy and sell it on the dark web in order to carry out cyber attacks. 

Research shows that malicious attack is the largest contributing source of a data breach in the retail industry, comprising nearly 60% of breaches; human error and system glitches make up the rest. Once a retail business has been breached, it takes an average of 311 days before the breach is identified and contained.*

Compromised cardholder data affects the entire payment ecosystem. If this information gets into the wrong hands, unauthorized transactions can be made, identities can be stolen and customers can suffer immensely.  This also puts organizations at risk  - they may be subject to numerous financial liabilities such as legal costs, fines, penalties, and reduced stock value. Moreover, loss of customer confidence begets loss of business and some organizations never recover.  

 

Payment Card Industry Data Security Standard

To help prevent fraudulent activity and enhance global payment account data security, stakeholders from the payment card industry established the Payment Card Industry Data Security Standard (PCI DSS), which outlines in detail 12 requirements for securing cardholder data under six areas of focus: 

1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

According to the PCI Security Standards Council, “PCI Standards are for entities accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.”

Stakeholders including Visa, MasterCard, American Express, Discover, UnionPay and JCB International integrate the PCI DSS technical and operational requirements into their data security compliance programs.  Each payment brand is responsible for monitoring and enforcing compliance — including non-compliance penalties — with the PCI DSS.

To maximize payment card data protection, security experts recommend that organizations  achieve and maintain compliance with the controls specified in the PCI DSS, which  addresses both  technical and operational system components. The key here is continuous assessment of compliance with the standard. It is not uncommon for forensic investigators to find that an organization has been breached because the organization had fallen out of compliance. 

Just because security controls may have passed an assessment last month, doesn't mean they would pass one today.  Compliance is not a one-time event. 

 

SecureCloudDB Helps Ensure Public Cloud Databases are PCI DSS Compliant

Organizations need to secure cardholder data when it is captured and where it is stored. In the cloud, this not only means protecting the network but also payment system databases that store and transmit payment card data.

SecureCloudDB supports the PCI Security Standards Council mission of enhancing global payment account data security by enforcing, or assisting in the enforcement of, the Requirements and sub controls that are within the scope of cloud database security within the PCI DSS compliance standard, version 3.2.1:

Build and Maintain a Secure Network and Systems


1: Install and maintain a firewall configuration to protect cardholder data.

SecureCloudDB assists with this control by showing cloud databases that have weak networking controls via network checks and alerts on configuration changes.

2: Do not use vendor-supplied defaults for system passwords and other security parameters.

SecureCloudDB configuration and security checks validate compliance with this requirement, and further alerts when default users are present and/or enabled.

Protect Cardholder Data


3: Protect stored cardholder data.

SecureCloudDB assists with this set of controls by helping ensure that underlying encryption at rest is in place.

4: Encrypt transmission of cardholder data across open, public networks.

SecureCloudDB enforces this control by requiring secure network configuration and correct use of TLS versions and cipher suites.

Maintain a Vulnerability Management Program


5: Protect all systems against malware and regularly update anti-virus software or programs.

Not applicable when managed systems are evaluated.

6: Develop and maintain secure systems and applications.

SecureCloudDB enforces this control with respect to covered databases.

Implement Strong Access Control Measures


7: Restrict access to cardholder data by business need to know.

Not applicable.

8: Identify and authenticate access to system components.

SecureCloudDB helps enforce this control for database assets, in part through Database Activity Monitoring.

9: Restrict physical access to cardholder data.

Not applicable to databases in the public cloud.

Regularly Monitor and Test Networks


10: Track and monitor all access to network resources and cardholder data.

SecureCloudDB helps compliance with this control through access and activity monitoring.

11: Regularly test security systems and processes.

SecureCloudDB assists in some aspects of compliance with these controls through access monitoring and security checks.

Maintain an Information Security Policy


12: Maintain a policy that addresses information security for all personnel.

Not applicable.

For additional insight on how SecureCloudDB assists with the subsections of each requirement, access PCI DSS SecureCloudDB Mapping now.

 

While maintaining payment data security is required for all entities that store, process or transmit cardholder data, organizations migrating to the public cloud or using managed databases in the cloud have different security management considerations that need to be taken into account versus organizations utilizing on premises databases. SecureCloudDB provides businesses with PCI DSS compliance assurance for cloud databases and helps protect against breaches and theft of cardholder data on an ongoing basis.

 

*IBM Security Cost of Data Breach Report 2020.

 

Tags: PCI

Written by SecureCloudDB