Security Experts:

The New Compliance Checklist

Anyone who does business in the cloud knows that compliance standards are a mandatory and often complicated part of the game. Yet getting and staying compliant can be especially tricky for finance and e-commerce organizations, which are bound by soon-to-be updated Payment Card industry (PCI) Data Security Standards (DSS) that demand especially tight controls. Creating a secure cloud environment is only the beginning for companies that handle sensitive credit card and finance data. To pass audits and prevent breaches, these companies must stay attuned and responsive to the changing face of compliance.

The issue? Many companies focus the lion’s share of their attention on security and performance, and think of compliance as a simple box to be checked off. As I’ve written before, compliance is a byproduct of a solid security program – but that doesn’t mean it’s simple. When it comes to protecting sensitive financial data and transactions, compliance can involve technical architecture and operational processes that many organizations simply don’t understand or don’t want to bother with. And because those regulations can be quite complicated, it’s not uncommon for organizations to entrust their compliance to a third party provider on the assumption that the provider will take care of everything.

PCI 3.0 ComplianceYet both of these approaches carry considerable risks. We live in a world where finance, business and technology have intersected in unforeseen and innovative ways. These new tools and platforms will continue to evolve - and the compliance requirements will continue to adapt right along with them. This means that businesses must stay attentive to these changes and update their compliance tactics accordingly.


Risks and Repercussions

It’s no secret that organizations that don’t bother analyzing their own specific compliance dynamics can end up without adequate coverage. Those that hand all responsibility for their compliance over to a cloud provider can also wind up short-changed, as some providers supply only the bare minimum of compliance controls, rather than taking into account each customer’s unique circumstances and requirements. Given the complexity of getting and staying compliant, this puts the customer on shaky ground.

Another danger: not keeping up with the latest compliance regulations and techniques. Businesses who assume yesterday’s compliance practices will be adequate today obviously run the risk of violating new PCI regulations, something very topical as the PCI DDS 3.0 updates are due this November. These businesses also risk missing out on new technologies and tactics that can actually simplify compliance, such as isolated payment engines.

Doing a Compliance Background Check

All of this points to one conclusion: companies must ask detailed questions – both internally and of their third party provider – or risk being saddled with an invisible compliance gap that only comes to light when it’s too late. Organizations who want to stay current on compliance must do their homework and ask the right questions of any third party provider they consider. Handling fiscal data and credit card transactions poses its own set of compliance needs, and businesses will want to make sure that their provider is on top of the latest and greatest compliance practices – such as payment islands and other criteria as noted below.

• Monthly vulnerability scanning and patching. Running scans can prevent many attacks, while patching can stop a small leak from growing into a costly disaster.

• A log management policy that involves daily reviews. This is an effective and easy way to spot abnormalities and resolve them before they make a deeper impact.

• A layered security model. A truly secure cloud relies on a variety of tools and strategies working in tandem, including perimeter security, DDoS mitigation, firewalls, IP reputation filtering, multifactor authentication, anti-malware and more.

• A strong response plan in the event of a breach. Many breaches takes days or months to detect, so having an effective plan to detect intrusions and maintain uptime is critical to prevent widespread data loss, fines and brand damage.

• Internal and well-documented audits. Clear and thorough records should be provided that validate the vendor’s review process while demonstrating that monitoring and compliance needs are being met.

• Best case scenario is to isolate the credit card databases within the cloud infrastructure decoupling regulated data from monolithic IT environments through network segmentation. As recommended by leading analyst firm, Gartner, this concept of a Payment Island removes and isolates risk while limiting the scope of infrastructure, policies, and procedures that must meet compliance.

Remember that reputable providers will be transparent in providing clear and detailed answers - so don’t be afraid to probe into their experience in guaranteeing PCI compliance. The above practices are critical for creating a secure and high-performing cloud environment that protects cardholders and lets businesses safely collect, store and transmit confidential data.

Compliance might seem like a hassle when you tackle it head-on, but a smart and thorough plan will ultimately spare you the expensive fines, increased audits and irreparable brand damage that come along with a breach. It will also guarantee the consistency and protection that are so critical when it comes to disaster prevention. Do the legwork now to ensure you’re as compliant as you need to be and you’ll provide your organization with a higher-performing cloud, successful audits, and a safer, smoother future.

view counter
Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.