David Jenkins (QSA CISA) Director of PCI and Payment Services PCI and the Cloud, where is my Atlas
Agenda About Cognosec PCI DSS 3.0 and CSPs SLA Considerations Technical considerations Auditing
About Cognosec GmbH IT and security and compliance specialist based in Vienna Services in information security, governance, enterprise risk management, compliance, audit and assurance Clients throughout Europe, Middle East, Africa and the United States Qualified Security Assessor (QSA) Company for Europe and CEMEA Approved Scanning Vendor (ASV) Company for Europe and CEMEA
PCI Security Standard Manufacturers & Service Providers PCI P2PE and PTS Pin and PAN Software Developers PCI PA-DSS Payment Application Vendors Merchants and Processors PCI DSS Data Security Standard PCI Security Standards and Compliance Ecosystem of payment devices, applications, infrastructure and users Pen Testing* QIR Qualified Incident Response PFI PCI Forensic Investigator ASV Approved Scanning Vendor
PCI and the Cloud More flexibility at the front end of the payment chain Multi Channel, Twitter etc More complexity on the back end P2PE standard a good example
PCI and the Cloud 52 Page White Paper referring to the 70 page NIST Guidelines on Security and Privacy in Public Cloud Computing (SP SP800-144) Leads on from the PCI DSS Virtulisation guidance Note the fine print
Service Level Agreements Technical considerations
PCI DSS 3.0 Service Level Agreements 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8.1 Maintain a list of service providers.
Considerations for you: Nested Service-Provider Relationships? These relationships will add complexity to both the CSP s and the client s PCI DSS assessment process. Look to the P2PE Standard for good examples of Behind the scenes complexity.
PCI DSS 3.0 Service Level Agreements 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
PCI DSS 3.0 Service Level Agreements 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
Considerations for you: Your due-diligence process prior to engaging the CSP. The providers history in performing the services your require Identifying potential risks or circumstances associated with the CSP Deep dive of the service elements that need to be included in contracts SLAs
PCI DSS 3.0 Service Level Agreements 12.8.4 Maintain a program to monitor service providers PCI DSS compliance status at least annually.
Considerations for you: How long has the CSP been PCI DSS compliant? What specific services and PCI DSS requirements were included in the validation? Are there any system components that the CSP relies on for delivery of the service that were not included in the PCI DSS validation? How does the CSP ensure that clients using the PCI DSS compliant service cannot introduce noncompliant components to the environment or bypass any PCI DSS controls?
PCI DSS 3.0 Service Level Agreements 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Considerations for you: SLAs and other written agreements between the CSP and client should clearly identify the delineation of responsibilities between parties. Provisioning Written agreements should also cover activities and assurances to be provided by both parties upon termination of the service provision. Decommissioning and Disposal Clear requirements for data retention, storage and secure disposal
PCI DSS 3.0 Service Level Agreements 12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.
Responsibilities Client Generally each client will retain responsibility for maintaining and verifying the requirement. CSP Generally the CSP will maintain and verify the requirement for their clients. Both Generally responsibility is shared between the client and the CSP. This may be due to the requirement applying to elements present in both the client environment and the CSP-managed environment, or because both parties need to be involved in the management of a particular control.
Service Level Agreements Technical considerations
Technical Conciderations Protection methods such as hashing and encryption Encrypting transmission over networks Securing systems and applications, Coding Restricting access to data Assigning unique accountability Tracking and monitoring access
Technical Conciderations Encrypted data is still in scope for PCI DSS Plan to keep all encryption/decryption and keymanagement operations isolated from the cloud..if decryption keys and encrypted data are present all applicable PCI DSS requirements would apply to that environment..
Technical Conciderations isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.
Auditing a PCI DSS Compliant CSP Proof of compliance documentation (AOC /ROC), including the date of compliance Documented evidence of system components and services that were included in the PCI DSS assessment Documented evidence of system components and services that were excluded from the PCI DSS assessment, as applicable to the service Appropriate contract language
Non PCI Compliant CSP Access to systems, facilities, and appropriate personnel for on-site reviews, interviews, physical walk- throughs, etc. Policies and procedures, process documentation, configuration standards, training records, incident response plans, etc. Evidence (such as configurations, screen shots, process reviews, etc.) to show that all applicable PCI DSS requirements are being met for the inscope system components Appropriate contract language
Summary Policies, SLAs Roadmap to provisioning Technical considerations Meeting the intent of the Standard
David Jenkins (QSA CISA) Director of PCI and Payment Services +43 664 8836 4846 david.jenkins@cognosec.com