Passing PCI Compliance Scans in the Public Cloud
This article was originally published in the March 2013 edition of the Michigan Cyber Initiative Newsletter. The actual newsletter is embedded at the bottom of this blog. The Michigan Cyber Initiative is the state of Michigan's official "action plan that offers clear approaches for safeguarding our families, protecting Michigan's infrastructure and shielding our economy." Because of our work with PCI cloud hosting environments, we were chosen to write the feature article in this newsletter. DevOps team members Christopher Ecklesdafer and Pawel Panek played a big role in the content of this article as did Jonathan Gafill, CloudAccess.net Project Manager.
To protect highly sensitive cardholder data, the Payment Card Industry Security Standard Council (PCI SSC) released 12 Top Level Data Security Standards (DSS). Financial organizations are required to validate their adherence to certain DSS requirements. Below is an overview of the 12 PCI DSS requirements.
| Control Objectives | PCI DSS Requirements |
| Build and Maintain a Secure Network | Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy | Requirement 12: Maintain a policy that addresses information security |
There are over 130 Approved Scanning Vendors (ASVs) that can be used to detect vulnerabilities found in a public cloud. CloudAccess.net, a Michigan-based Platform as a Service (PaaS), used McAfee and Comodo to perform security scans on targeted hosting environments. Using the results, the company adjusted server specifications to pass subsequent scans, ultimately helping several clients validate the security of their content including Reliance Bank, a full service bank with twenty branches in the St. Louis metropolitan region, and CIMA (the Center for Information Management and Assurance), an organization that aims to elevate the information security community. CloudAccess.net is helping clients pass ASV scans on an individual basis, but the company is developing an automated PCI-DSS hosting layer that can be applied to any environment with a click of a mouse.
Passing an ASV scan is a critical part of the PCI testing system, but it is very important to note that passing such scans doesn't necessarily mean that the hosting environment reaches the highest levels of PCI-DSS standards. To learn more, visit pcisecuritystandards.org and read about Navigating PCI DSS.
{edocs}micybernewsletter.pdf,970,600{/edocs}
