The Benefits of PCI Compliance for Cloud Security (even when you don’t store card data)

Roughly 56% of organisations have difficulty finding the necessary skills to protect their cloud infrastructure. This is according to a CheckPoint report that also claims 57% of organisations find it challenging to implement security measures that would keep them in line with policy and regulatory requirements. 

These (and other) challenges are exacerbated by the fact that more than 90% of organisations use some form of cloud-based infrastructure, with multi-cloud deployments (cloud servers or other infrastructure from different cloud service providers) among the most popular deployment models, leaving organisations exposed on multiple fronts. Although not a panacea for the skills or security challenges organisations may face, implementing PCI DSS compliance in a cloud environment can provide a predictable framework for cyber security that can ease the burden of compliance with policy and regulatory requirements. 

What is PCI DSS?

PCI DSS, or the Payment Card Industry Data Security Standard, is a collection of security guidelines formulated to ensure a secure environment for companies involved in handling credit card information, whether they accept, process, store, or transmit it. This standard pertains to a broad spectrum of entities, including but not limited to merchants, processors, issuers, acquirers, and service providers.

The most recent iteration of PCI DSS was unveiled on March 31st, 2022. While the transition from PCI DSS 3.2.1 spans from March 31st, 2022 to March 31st, 2024, it’s important to note that the majority of the 63 new stipulations will only become effective on March 31st, 2025, even though some parts of PCI DSS v4 are already in effect.

For achieving PCI DSS compliance, entities must adhere to 12 key requirements that fall under 6 main objectives:

1. Construct and Uphold a Secure Network and Systems:
   • Initiate and consistently uphold a firewall to safeguard cardholder data.
   • Refrain from using default settings for system passwords and other security facets provided by vendors.
2. Safeguard Cardholder Data:
   • Preserve the security of stored cardholder data.
   • Ensure the encryption of cardholder data when transmitting across public, unsecured networks.
3. Establish a Vulnerability Management Program:
   • Shield all systems from malware and routinely refresh antivirus tools and software.
   • Cultivate and sustain secure systems and software applications.
4. Adopt Robust Access Control Measures:
   • Limit access to cardholder data based solely on business necessities.
   • Define and validate access permissions for system elements.
   • Confine physical admittance to cardholder data.
5. Consistently Monitor and Examine Networks:
   • Document and supervise all interactions with network resources and cardholder data.
   • Conduct frequent assessments of security mechanisms and protocols.
6. Develop an Information Security Protocol:
   • Foster a policy centred around information security for the entire workforce.

Benefits of PCI Compliance in the Cloud

While the primary focus of PCI DSS is to secure cardholder data, the rigorous security controls it advocates can significantly elevate an organisation’s overall security posture in the cloud, even when no card data is handled. 

Here’s how working toward PCI compliance can enhance your security and protect your cloud servers:

Shared responsibility

Knowing which responsibilities fall to the Cloud Service Provider (CSP) and which belong to the organisation can be challenging. But shared responsibility also has an upside, in that it alleviates some of the burden placed on the organisation. 

CSPs, for example, are responsible for implementing secure physical access controls where data is stored and ensuring that their data centres have proper security measures in place. They’re also responsible for network security and monitoring as well as testing to identify potential vulnerabilities. You may also find that PCI compliance CSPs may provide third-party audit reports that certify their products for PCI compliance, thereby adding another tick to the PCI compliance checklist.

Security policies

PCI compliance also requires robust company-wide security policies, emphasising a proactive security posture. This includes developing a security policy that addresses PCI DSS requirements and is reviewed at least once a year. Organisations are also required to develop daily operational security procedures and implement usage policies that guide employee usage of technology (such as remote access, wireless internet usage, email, internet usage, etc.)

This security awareness extends to the system administration of cloud servers and development practices since maintaining secure systems and applications is a key requirement of compliance. Here, too, emphasis is placed on making security best practices routine, such as:

• Establishing a process to identify and rank vulnerabilities
• Installing the newest security patches when they are released
• Following secure coding practices
• Using separate environments for development, testing, and production, with the appropriate access controls in place
• Following established guidelines on coding vulnerabilities like injection flaws, improper error handling, insecure storage, and more.

Access controls

PCI DSS requires the implementation of stringent access controls to information stored on cloud servers. This ensures that only those individuals who need to view card data are authorised to do so. Implementing access controls requires establishing clear role definitions, documenting justification for access, and ensuring that said access controls are approved by authorised personnel. The same applies to role-based access controls where access may be granted to a group of users based on their assigned role.

Even in instances where card data isn’t captured or stored, such stringent access control requirements can be applied to an organisation’s entire cloud infrastructure to ensure that, should a breach occur, an intruder could potentially only access the information to which the compromised account (or role) has access to.

Incident response

A well-structured, tested, and regularly updated incident response plan can significantly reduce potential financial, reputational, and operational damage resulting from security incidents. Proper incident response is about readiness, effective action, and continuous improvement. The PCI DSS outlines specific requirements to ensure that organisations are prepared to respond effectively in case of security incidents to minimise potential damage.

An incident response plan should include the following:

• An assignment of roles and responsibilities in the event of a security incident, as well as communication strategies
• Incident-specific response procedures
• Business recovery and continuity procedures
• Data backup procedures
• Detailed knowledge of legal or regulatory requirements for reporting security incidents
• Coverage and responsibilities for all critical system components
• Reference or inclusion of incident response procedures from the payment brands.

Other requirements include appropriate staff training as well as evolving the incident response over time. 

Again, even where card data isn’t stored, implementing an incident response plan will ensure that you’re ready to deal with attacks and potential breaches when they do occur, and minimise the potential reputational and financial damage.

Conclusion

Aiming for PCI compliance, even when you don’t collect or store cardholder data, can significantly enhance the security of your cloud infrastructure, and help foster an organisation-wide security awareness. This can significantly reduce the potential for a breach, and even where breaches do occur, minimise their impact.

Through Storm Internet’s managed PCI compliance, we secure and maintain your cloud infrastructure to PCI compliance levels. All Storm Internet cloud servers also receive a free quarterly PCI external vulnerability scan.