Industrial organizations always attract attention from both cybercriminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyberespionage and malicious credential stealing campaigns. Their success has most likely been the main factor raising the ransomware threat to such [...]
The distributed architectures of cloud environments add layers of technology and complexity that challenge traditional assessment methods. As a result, it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.
Examples of compliance challenges include but are not limited to the following:
Customers may have little or no visibility into the Provider’s underlying infrastructure and the related security controls, which makes it difficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.
Customers may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high-availability reasons, data could be stored in multiple locations at any given time.
It can be difficult to determine an appropriate sample size for dynamic, rapidly changing cloud environments and processes (for example, cloud-bursting, continual deployment and termination of virtual machines, dynamic IP addressing and so on).
Some virtual components do not have the same levels of access control, logging and monitoring as their physical counterparts.
Perimeter boundaries between Customer environments can be fluid.
Public cloud environments are usually designed to allow access from anywhere on the internet.
It can be challenging to verify who has access to cardholder data processed, transmitted or stored in the cloud environment.
It can be challenging to collect, correlate and archive all the logs necessary to meet applicable PCI DSS requirements.
Organizations using data-discovery tools to identify cardholder data in their environments, and to ensure that such data is not stored in unexpected places, may find that running such tools in a cloud environment can be difficult and result in incomplete results. It can be challenging for organizations to verify that cardholder card data has not “leaked” into the cloud.
Not all services offered by a Provider may be included in the Provider’s PCI DSS compliance validation. Many Providers might not support the right to audit for their Customers.
These challenges will affect a number of factors related to how PCI DSS compliance is managed, including how segmentation is implemented, how PCI DSS assessments are scoped, how individual PCI DSS requirements are validated and which party will perform particular validation activities.
At a high level, Cloud providers can be identified as those that have been validated as meeting a particular level of PCI DSS compliance and those that have not.
The recommended practice for Customers with PCI DSS considerations is to work with Providers whose services have been independently validated as being PCI DSS compliant and have mechanisms available to Customers to attain such evidence.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.