www.cognosec.com

David Jenkins (QSA CISA)

Director of PCI and Payment Services

PCI and the Cloud, where is my Atlas

www.cognosec.com

Agenda

• About Cognosec

• PCI DSS 3.0 and CSPs

• SLA Considerations

• Technical considerations

• Auditing

www.cognosec.com

About Cognosec GmbH

IT and security and compliance specialist based in Vienna

Services in information security, governance, enterprise risk management, compliance, audit and assurance

Clients throughout Europe, Middle East, Africa and the United States

Qualified Security Assessor (QSA) Company for Europe and CEMEA

Approved Scanning Vendor (ASV) Company for Europe and CEMEA

www.cognosec.com

PCI Security Standard

Manufacturers & Service Providers

PCI P2PE and PTS

Pin and PAN

Software Developers

PCI PA-DSS

Payment Application Vendors

Merchants and Processors

PCI DSS

Data Security Standard

PCI Security Standards and

Compliance

Ecosystem of payment devices, applications, infrastructure and users

QIR Qualified Incident

Response

PFI PCI Forensic Investigator

Pen Testing* ASV

Approved Scanning Vendor

www.cognosec.com

PCI and the Cloud

More flexibility at the front end of the

payment chain

Multi Channel, Twitter etc

More complexity on the back end

P2PE standard a good example

www.cognosec.com

PCI and the Cloud

52 Page White Paper referring to the 70 page NIST Guidelines on

Security and Privacy in Public Cloud Computing (SP SP800-144)

Leads on from the PCI DSS Virtulisation guidance

Note the fine print

www.cognosec.com

Service Level Agreements

Technical considerations

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:

12.8.1 Maintain a list of service providers.

www.cognosec.com

Considerations for you:

Nested Service-Provider Relationships?

These relationships will add complexity to both

the CSP’s and the client’s PCI DSS

assessment process.

Look to the P2PE Standard for good examples

of „Behind the scenes“ complexity.

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.8.3 Ensure there is an established

process for engaging service providers

including proper due diligence prior to

engagement.

www.cognosec.com

Considerations for you:

Your due-diligence process prior to engaging the CSP.

The providers history in performing the services your require

Identifying potential risks or circumstances associated with the CSP

Deep dive of the service elements that need to be included in contracts SLAs

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.8.4 Maintain a program to monitor

service providers’ PCI DSS compliance

status at least annually.

www.cognosec.com

Considerations for you:

How long has the CSP been PCI DSS compliant?

What specific services and PCI DSS requirements were included in the validation?

Are there any system components that the CSP relies on for delivery of the service that were not included in the PCI DSS validation?

How does the CSP ensure that clients using the PCI DSS compliant service cannot introduce non- compliant components to the environment or bypass any PCI DSS controls?

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.8.5 Maintain information about which PCI

DSS requirements are managed by each

service provider, and which are managed by

the entity.

www.cognosec.com

Considerations for you:

SLAs and other written agreements between the CSP and client should clearly identify the delineation of responsibilities between parties. Provisioning

Written agreements should also cover activities and assurances to be provided by both parties upon termination of the service provision. Decommissioning and Disposal

Clear requirements for data retention, storage and secure disposal

www.cognosec.com

PCI DSS 3.0

Service Level Agreements

12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer

Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.

www.cognosec.com

Responsibilities

Client – Generally each client will retain responsibility for

maintaining and verifying the requirement.

CSP – Generally the CSP will maintain and verify the requirement for their clients.

Both – Generally responsibility is “shared” between the client and the CSP. This may be due to the requirement applying to elements present in both the client environment and the CSP-managed environment, or because both parties need to be involved in the management of a particular control.

www.cognosec.com

Service Level Agreements

Technical considerations

www.cognosec.com

Technical Conciderations

Protection methods such as hashing and encryption

Encrypting transmission over networks

Securing systems and applications, Coding

Restricting access to data

Assigning unique accountability

Tracking and monitoring access

www.cognosec.com

Technical Conciderations

Encrypted data is still in scope for PCI DSS

Plan to keep all encryption/decryption and key-management operations isolated from the cloud

..if decryption keys and encrypted data are present all applicable PCI DSS requirements would apply to that environment..

www.cognosec.com

Technical Conciderations

isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored

Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.

www.cognosec.com

Auditing a PCI DSS Compliant CSP

Proof of compliance documentation (AOC /ROC), including the date of compliance

Documented evidence of system components and services that were included in the PCI DSS assessment

Documented evidence of system components and services that were excluded from the PCI DSS assessment, as applicable to the service

Appropriate contract language

www.cognosec.com

Non PCI Compliant CSP

Access to systems, facilities, and appropriate personnel for on-site reviews, interviews, physical walk- throughs, etc.

Policies and procedures, process documentation, configuration standards, training records, incident response plans, etc.

Evidence (such as configurations, screen shots, process reviews, etc.) to show that all applicable PCI DSS requirements are being met for the in-scope system components

Appropriate contract language

www.cognosec.com

Summary

Policies, SLAs

Roadmap to provisioning

Technical considerations

Meeting the intent of the Standard

www.cognosec.com

David Jenkins (QSA CISA)

Director of PCI and Payment Services

+43 664 8836 4846 david.jenkins@cognosec.com