Businesses involved with handling credit cards for payment need to maintain compliance with the PCI-DSS guidelines designed to ensure transaction security. Failure to adhere to the standards exposes a company to substantial financial fines. Companies that accept credit card payments need to exercise caution when engaging a public cloud provider.
This article will discuss the regulatory guidelines organizations must follow and take a look at the differences between a cloud and a dedicated hosting solution to establish PCI compliance.
What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI DSS) defines the security measures that need to be implemented by any company that accepts, processes, transmits, or stores credit card data. The guidelines were first introduced as PCI DSS 1.0 in December 2004 by the PCI’s founding members, which included American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
PCI-DSS 2.0, introduced in 2010, was designed to streamline the assessment process. In January 2015, version 3.0 went into effect with a focus on specific aspects of increasing credit card security. These included emphasizing employee education and awareness in companies accepting credit cards, implementing flexible and secure authentication methods, and treating security as a shared responsibility when third parties are involved.
The current version of PCI-DSS is v4, which went live on March 31st, 2022. The core elements of PCI-DSS are largely unchanged; however, there is a greater focus on security and promoting security as a continuous process.
What Is Required for PCI Compliance?
All organizations handling credit cards are bound by the PCI-DSS requirements. In today’s business world, this encompasses virtually every company from small startups to multi-national conglomerates. E-commerce depends on payments being made via credit cards, and any business with an online presence needs to comply with PCI-DSS.
Organizations need to follow twelve requirements to be PCI-DSS compliant. The focus of all the requirements is to protect cardholder data. The requirements apply to any merchant processing credit cards and their service providers, including public cloud vendors.
- A firewall must be installed and maintained to protect cardholder data. A firewall provides the first line of network defense, and its access rules should be reviewed regularly to identify and close security vulnerabilities.
- Vendor-supplied default passwords and security settings should not be used. PCI-DSS mandates that these passwords be changed to harden security and make it more difficult for unauthorized actors to access systems containing cardholder data.
- Stored cardholder data must be protected. Satisfying this requirement involves knowing where all related data is stored and its retention period. All data needs to be encrypted, truncated, tokenized, or hashed using methods accepted by the PCI industry. Rules regarding how primary account numbers can be displayed are also part of this requirement.
- Cardholder data must be encrypted when transmitted across open, public networks like the Internet. The destination of transmitted data needs to be known before initiating the data transfer.
- Anti-virus software must be used to protect all systems in the environment and be regularly updated with the latest malicious code signatures. Any laptop, desktop, or mobile device used to access systems containing cardholder information needs to be protected in this way.
- Secure systems and applications must be developed and maintained. Security vulnerabilities need to be identified and mitigated. All systems in the payment card environment should be patched regularly, including operating systems, firewalls, databases, and application software.
- Access to cardholder data should be granted only on a need-to-know basis. Restricting access to data in this way is a fundamental component of the PCI-DSS standards.
- Unique IDs need to be assigned to everyone with computer access so access can be tracked to specific individuals for accountability. Two-factor authentication is required when accessing systems with cardholder data.
- Physical access to cardholder data has to be restricted. Controls must be implemented to exclude unauthorized personnel from physically accessing the systems that hold cardholder data.
- All-access to network resources and cardholder data needs to be tracked and monitored. Logs must be kept and reviewed for suspicious activity, and audit records need to contain specific information.
- Security systems and processes are required to be tested regularly. This includes vulnerability scans and network penetration tests. All external IPs and domains are required to be scanned by a PCI-approved scanning vendor at least quarterly.
- An information security policy must be maintained for all employees and contractors. The policy needs to undergo an annual review and be read by all employees and contractors.
Many organizations do not have the internal IT resources necessary to effectively meet these requirements. This can pose a problem for businesses subject to PCI guidelines. They still need to protect cardholder data or face substantial fines.
The most effective way for companies in this position to comply with the standards is with a third-party cloud vendor that offers PCI-compliant hosting.
PCI-Compliant Solutions
The two primary options when hosting servers with a public cloud provider involve using shared cloud resources or dedicated hosts. The best choice depends on factors unique to each business situation. The following factors need to be considered when selecting your hosting solution.
The size of the hosted environment
An understanding of the size of your hosted environment is crucial when deciding how to host it. Very small environments may not need the benefits of a dedicated host. In cases where the required infrastructure’s size is unknown or is anticipated to grow substantially, the elasticity of a cloud-based solution may be best. When the infrastructure size is well-known, dedicated hosting provides customers with more control and privacy over the environment.
The availability of in-house technical resources
Dedicated solutions require more knowledge and involvement from the customer’s technical staff. Cloud servers generally place more responsibility for maintaining the environment on the provider, though there are vendors that offer extended support for dedicated hosting solutions. Organizations need to be realistic when evaluating their technical resources.
Latency concerns
Based on how much latency a business can tolerate, dedicated hosts may be the logical choice. Enhanced performance can be achieved with a dedicated solution by eliminating the need to traverse shared networks when transmitting data.
Software requirements
Some software vendors like Microsoft restrict some of their licenses from being used in public cloud settings. Companies deploying these products need to use dedicated hosts for PCI compliance.
Budgetary limitations
A cloud server solution will usually be less expensive to initially implement than one using dedicated hosts. As infrastructure grows, the resources available in a dedicated host can become more economical and provide the best fit. Larger implementations can benefit from engaging dedicated hosts at the outset of the move to the cloud.
Making the Choice
In most cases where the environment is understood and expected to be fairly stable going forward, a dedicated hosting solution is the best way to ensure PCI compliance. The self-contained nature of dedicated hosts provides enhanced security and reduced latency by eliminating shared tenants with fluctuating workloads. Software licensing may come into play and steer a customer toward a dedicated hosting solution.
Businesses attempting to maintain PCI compliance don’t need to go it alone. Atlantic.Net’s PCI hosting services include dedicated hosting and cloud server solutions for businesses required to comply with PCI-DSS guidelines. They can tailor their offerings to fit the needs of any size business that needs to protect the cardholder data they process.