Any company working with payment cards should ensure that their ICT infrastructure is within the PCI DSS requirements. To do this on your own is quite difficult and expensive. It is much more profitable to put this responsibility on the shoulders of a service provider that already has experience of passing such certification.
In recent years, interest in professional cloud services has increased significantly. Experts attribute this to the economic situation in the country, sanctions, as well as increased customer maturity, who hope thus to optimize the costs of IT.
Dynamics of the Russian SaaS market, P billion
Source: J&P, 2015
“In our experience, the greatest interest in cloud services is shown by the credit-financial and insurance, trade and service, the media company”, – says Ivan Guzev, Director of IBS DataFort information security.
Attempts to transfer the information to the system provider are usually accompanied by some difficulties and limitations. Some of them are linked with the requirements of different kinds of normative documents in the field of information security: the Federal Law “On Personal Data”, the Federal Law “On the National Payment System”, the Bank of Russia STO BR IBBS, PCI DSS.
WHAT IS PCI DSS
PCI DSS – is Data Security Standard for the Payment Card Industry. The standard requirements are aimed at ensuring the confidentiality of data cards VISA and MasterCard international payment systems. They must comply with any organization that in its infrastructure processes, stores, or transmits payment card data (number, cardholder’s name, service number, card expiration date, CVV2 / CVC2 codes and PIN / PIN-block). Thus, they apply to the trade and service companies, online retailers, banks, payment gateways, processing centers, as well as service providers that provide services that affect the security of payment cards.
In the case of outsourcing any functions that work with the data of payment cards, in accordance with paragraph 12.8 of the PCIDSS standard each organization must ensure that the service provider meets a number of requirements. Thus, if the company uses the cloud service provider, it must include it in the area of self-check or find already certified contractor that will significantly reduce audit time and costs.
Requirements for PCI DSS outsourcing
With the development of services provided by service providers, areas of responsibility have increased and that clients can outsource within PCIDSS standard. Today, it is the physical security of the hardware, administration and security of network devices (firewalls, detection systems and intrusion prevention (IPS / IDS), anti-DDOS, etc.), virtual infrastructure security and administration of operating systems, applications and databases.
In modern PCI DSS standard there are 12 sections – categories of claims. Requirements of the first section are relating to firewall configuration to protect cardholder data. Cloud provider can take over the complete management of firewall systems and ensure maximum network security of customer’s payment card data. “As part of the DF Cloud service we implement firewalls, including by means of a certified FSTEC equipment”, – says Ivan Guzev.
In the second section requirements relate to changes in the system passwords and other security parameters of the default manufacturers software and firmware. This requirement cloud provider will be performing for customer systems that are in its area of responsibility. In particular, IBS DataFort this process is carried out only on the basis of procedures and regulations, passed certification according to ISO 27001.
The third section specifies the procedure for the protection of cardholder data. These requirements are largely borne by the customer. «IBS DataFort, for its part, offers data encryption during storage service that allows you to close part of the requirements of this section,” – says Ivan Guzev.
The fourth section defines the requirements to protect payment card data during transmission through the open communication channels. Cloud provider should provide data encryption beyond self-controlled infrastructure. “We offer our customers to use any dedicated data channels, or different versions of VPN traffic encryption when transmitting information via the Internet. Including possible use of certified means using Russian cryptographic algorithms (GOST VPN offer), “- commented in IBS DataFort.
The fifth section contains the requirements for anti-virus protection. In this case, the cloud provider can ensure the protection of client systems from viruses. IBS DataFort offers services in the form of several options for scanning for viruses different antivirus solutions, including national development, taking into account the requirements of the client’s corporate policy.
The sixth section deals with monitoring changes in infrastructure and the secure development of applications. Secure development of application is in the customer’s area of responsibility. In turn, IBS DataFort as part of a change management procedure provides control and pre-testing of all of the changes to the infrastructure. Procedures for the change of control are provided by ISO 20000 “IT Service Management” standard .
The seventh and eighth sections are about creating and modifying user accounts in the system to be certified by PCIDSS requirements. Usually, the data meets the requirements of the customer, but IBS DataFort uses specialized software packages that provide customers with a full range of services for the controlled creation, modification and deletion of the accounts in different systems.
The ninth section presents the requirements for ensuring the physical security of cardholder data. In this case, the cloud provider takes full responsibility for this area of the standard to the customer. “This requirement is closed for physical security measures to accommodate data center platform of services and relevant coaching service engineering personnel”, – says Ivan Guzev.
The tenth section of requirements refers to the control of all the events and information security incident reports. IBS DataFort provides continuous monitoring and logging of informational security infrastructure provided by the event, and also offers this service to its customers to monitor their information systems.
The eleventh section of requirements provides regular testing of the systems and processes to ensure information security. As a solution to close this part of requirements, IBS DataFort offers customers to conduct regular scans of infrastructure vulnerability and applications with certified methods.
The twelfth section is primarily concerned about documentary support. In the case with cloud provider, its actively-used proven procedures and regulations may be used by the customer when passing the audit. IBS DataFort has a complete set of necessary documents, which, in particular, are supported the successful certification according to ISO 27001.
Who is responsible for PCI DSS
“Clients must delineate responsibilities for the implementation of PCI DSS requirements between the organization and the cloud provider, documented this distinction in the form signed by a matrix of responsibility to implement the requirements of the standard,” – says Eugene Babitsky, Deputy General Director of Compliance Control.
It is within the matrix of professional liability that provider of cloud services (as opposed to a traditional data center provider) can take on virtually all requirements listed twelve points, starting with the physical placement of equipment and finishing administer operating systems and applications.
Typically, the matrix with the division of responsibility for each item of the PCI DSS is contained in the annex to the contract between the service provider and the customer. The application determines which standard items lie in the cloud provider’s area of responsibility, and enables customers to reduce their own effort to achieve compliance with the PCI DSS requirements. In the case of provision of professional cloud services, responsibility matrix is always included in the SLA for these services. IBS DataFort has a practice of creating SLA for execution of these requirements, including compensation in the event of a breach.
An audit from the cloud provider is different from the audit from the customer only by the fact that a cloud provider verifies the conformity of the infrastructure to not all the requirements of the standard, but only those applicable to the services it provides to its customers.
Only organization accredited by the Council PCI SSC (Payment Card Industry Security Standards Council) to work in a particular region can conduct the certification of cloud service providers. “For the cloud services providers, certification – is an opportunity to show their customers that they care about the security of their data not only in words, – says Ivan Guzev. – Also, it helps to assume part of the risk of clients in their own certification. “As a result of the use of certified cloud provider company can receive most of the infrastructure service model and thus reduce the level of complexity and the cost of its own audit, as part of the requirements would be met by the certification used by the service provider.
«In drawing up the matrix of responsibility is important to pay attention to which areas are included in the certification area of the cloud provider. You can verify this by requesting an official document from the provider Attestation of Compliance (AOC), which is an integral part of the certification by the PCI DSS, “- says Eugene Babitsky .
IBS DataFort company has the necessary experience to meet PCI DSS requirements of customers with professional cloud and related services, and taking into account the different composition area of responsibility placed upon us as a partner, our corporate clients. At the moment, IBS DataFort has implemented all necessary technical and organizational measures across the specified list of items and begins to PCI DSS certification process.
Thus, the possibility of transferring some functions to outsourcing service provider has been in the past, but the development of information technology and, as a result, of the service providers themselves, provided an opportunity to significantly expand the scope of transmission functions. Using the services of a service provider with experience certification, together with customers, as well as the necessary technical facilities and administrative regulations, reduces the labor, financial and time costs of preparing and passing the test for compliance with the PCI DSS requirements and ensures predictable results. And the consumption of services allows you to work on the operating model with monthly payment, without its own substantial investment in information security, as used efficiently investments already made by the service provider to provide a standard of service to many customers.