How to be compliant with PCI-DSS and/or SSAE 16 Type II with Cloud IaaS
We are frequently asked if we are SSAE 16 or PCI certified. It’s certainly a very important area to ensure is well understood however all too often it seems like the wrong question is being asked. It seems to us like it’s often being promoted by an overly enthusiastic sales or marketing initiative by IT vendors (often with a vested interest) who are not being entirely genuine when it comes to helping people understand this very important compliance aspect of moving infrastructure to the cloud. The reality is that no one can be declared as “Certified” in this regard as it is in reality a compliance process that typically involves the transparency and cooperation of a cloud infrastructure provider like Cloud-A (more info on that: here & here). If a provider states that they are “compliant” in this way, it’s certainly a good thing to know however it does not mean that as a result their customers are also “compliant” as well by proxy.
So, the right question is more likely: how can Cloud-A help our clients keep their customer data safe by implementing compliance controls including PCI-DSS & SSAE 16 Type II. Because achieving these certifications is a process that involves the support and aid of the cloud provider we’ve made this guide to help anyone better understand the process, common pitfalls, & also provide some best practices / recommendations where appropriate.
SSAE 16 Type II
The SSAE 16 Type II (Formerly known as SAS70) compliance process defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization like a hosted data centre, insurance claims processor, or credit processing company or a company that provides outsourcing services that can affect the operation of the contracting enterprise. We recognize the needs of our customers and will work with our customers to ensure that they are SSAE 16 compliant.
The Payment Card Industry has established the Data Security Standard (PCI-DSS) that identifies controls that help protect your customers’ data. Implementing PCI-DSS is often a requirement for many eCommerce applications and provides your customers with the confidence that you have taken the appropriate measures to ensure that their data is secure. You will need to enforce these requirements from the PCI-DSS standard. To learn more about the PCI-DSS standard, you can read the requirements here.
How we can help
|Build & Maintain A Secure Network||
Cloud-A virtual firewalls can provide port and protocol filtering, internally and externally. Working with a qualified trusted security partner, you establish and are the sole owner of the set of rules that defines unwanted traffic. Based on this set of rules, information that is sent to your server is checked and then filtered.
Taking advantage of Virtual Private Cloud Networking, you can create completely separate virtual networks, with no internet connection for private server communication.
Vulnerability Assessment Services
We recommend and partner with companies like Lyrical Software who offer vulnerability assessment and intrusion detection service to defend and protect systems against internal and external threats.
|Protect Cardholder Data||
Choosing a Payment Provider
In the vast majority of cases your payment processor takes on this responsibility by storing this information for you. In the case that you are planning on storing data of this nature with the application layer (or database) you must implement, or work with a partner to satisfy this requirement.
Securely Storing PCI Data
If you choose to store your own data that is sensitive to PCI-DSS, you can take advantage of our volumes service, and create an encrypted block storage device for the specific data you need to store. Key management and process is still important to the process, we recommend talking to a partner if you are not 100% comfortable implementing these in a secure way.
Encrypt transmission of cardholder data across open, public networks
We can help in the process of installation and renewal service of SSL certificates from the leading and most trusted names in the industry including GeoTrust®. Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) SSL certificates.
|Maintain a Vulnerability Management Program||
Use and regularly update anti-virus software or programs
Managed anti-virus solution offers proactive, sustained protection against viruses, worms, Trojans, spyware, and other malware for Windows or Linux servers. Features Behavioral Protection for zero-day protection by proactively identifying malicious code on file servers and deleting it before it executes or reaches endpoint computers on your network.
Develop and maintain secure systems and applications
We only partner with Proven Software Development Partners who have experience delivering professional services in this area. Those teams deploy, tune, profile, troubleshoot, and manage your applications, networks, & devices.
|Implement Strong Access Control Measures||
Restrict access to cardholder data on a need-to-know basis
This responsibility is typically taken on for you by your payment processor, if one is chosen, by storing and locking down this information for you — and exposing the required parts to you via API. In the case that you are planning on storing data of this nature with the application layer (or database) you must implement this requirement.
Assign a unique ID to each person with computer access
We recommend Two-Factor Authentication with industry-leading RSA SecurID technology, with a 20-year history of outstanding performance and innovation. Each RSA Authenticator token automatically generates a unique password every 60 seconds. Two-factor authentication using a unique PIN and the authenticator token password offers a more reliable level of user authentication than reusable passwords alone. A number of our partners have experience implementing this solution.
Restrict physical access to cardholder data
Cloud-A data centers are PCI-DSS and Safe Harbor compliant in addition to having SSAE16 Type II, SOC1, SOC2 (Security and Availability Only), and SOC3 audits on file for all data center facilities. Specific policies exist to both prevent unauthorized physical access, damage, and interference to our organization’s premises and information and to confirm that only approved users are granted access to appropriate systems and resources.
|Regularly Monitor & Test Networks||
Track and monitor all access to network resources and cardholder data
There are a number of Log Management products on the market today that automatically aggregate, normalize, and store log data from your environment to simplify log searches, forensic analysis, and report creation through real-time or scheduled analysis.
We recommend and work in parallel with companies who offer managed analysis of all traffic entering and leaving your hosted Card Data Environment (CDE) and logging of all critical infrastructure components to identify compromise and unauthorized access. This creates a fully managed centralized, and secure infrastructure.
Penetration Testing & Threat Management
We’ve developed a number of systems that are designed to monitor thje Cloud-A environment, detecting external and internal threats. When we detect an incident we provide expert guidance from our security operations center (SOC).
We recommend and partner with companies like Go Secure who offer vulnerability assessment and intrusion detection service to defend and protect systems against internal and external threats. They offer services including integrated vulnerability scanning that helps you identify possible points of entry and correct them, and assists you with meeting regulatory compliance requirements.
|Maintain an Information Security Policy||
Process, Procedure, & Documentation
This is something that you and your organization is responsible for but we can help by providing best practices and examples of what other companies like yours are doing to comply with this requirement.
This is helpful information but it’s important to remember that simply hosting with Cloud-A doesn’t automatically make you PCI-compliant. And while technologies can help in your efforts toward PCI compliance, tools like Firewalls, Intrusion Detection Systems and Log Management are only as effective as the people and processes in place to install and manage them.
We can also recommend a trusted partner who will work with you to build a framework for outlining and managing the process and technology requirements of PCI-DSS.