Skip to main content

Joint PCI security and CSA guidance on scoping cloud environments

Sergio Loureiro, Cloud Security Product Director
As organizations move their infrastructure to the cloud, payment data are being exposed unknowingly leading to high profile data breaches. Find out how the new guidance from PCI Security Standards Council (PCI SSC) and Cloud Security Alliance (CSA) can help protect your cardholder data in the cloud.
PCI security standard

Payment data breach through cloud misconfigurations are on the rise. In many cases companies suffered from these data leaks had no idea that their cardholder data was exposed – with Prestige Software leaking ten million data records of top travel sites Expedia, and, and Hobby Lobby’s 138GB partial payment card details exposure as prime examples. This highlights the importance of securing every aspect of the infrastructure from on-prem all the way up to the cloud, prompting the PCI SSC and CSA to announce a joint bulletin about scoping cloud environments.

PCI SSC and CSA have previously been issuing cloud security guidelines separately, such as the PCI SSC Cloud Supplement and CSA Cloud Controls Matrix (CCM). However, the newly issued joint guideline will help organizations bring together the PCI security standards with some of the most advanced tools for cloud security compliance developed by the CSA in a common framework to tackle this growing issue.

The joint bulletin focuses on scoping cloud environments – the first step is to get visibility on where your payment data is being stored and where to apply the necessary security controls to protect that data. As cloud adoption rises, more auditors are finding regulated data in the cloud without organizations being aware of it, resulting in PCI mis-compliance and increased risk of cyberattacks. Hackers are quick to move in and capitalize on the vast opportunities offered by misconfigured cloud resources.

PCI SSC and the CSA define scoping as the “identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When using cloud security for payments, this responsibility typically gets shared between the customer and the cloud service provider.”



PCI security standard

Major Cloud Services Providers (CSPs) have made good efforts to issue practical advice and reference architectures to help companies comply with PCI DSS.

Now that AWS is celebrating EC2’s 15th anniversary, it is time to take public cloud security seriously and implement the comprehensive guidance. More importantly, you must continuously monitor any changes that can bring new risk to your infrastructure and data. This can be achieved with fully automated tools and processes.

  1. Protect your workloads. Extend what you have been doing before for PCI compliance from on-prem infrastructure to the cloud. Assess and monitor any application and network that store and process regulated data (cardholder and payment information) against the PCI standard on a regular basis to maintain compliance.

  2. Prevent cloud misconfigurations. Most organizations fail to get cloud configurations right due to the lack of knowledge and in house expertise. Insufficient access restrictions, overly permissive storage policies, and publicly exposed assets are only a few of the common mistakes. Major CSPs already provide integrated tools to help you with the implementation of the CIS benchmarks. But if you are on a multi-cloud setup you might consider multi-cloud security assessment tools to simplify cloud security posture management.

Komplett Group case study: Securing eCommerce operations for PCI compliance Read more

Once these security controls are in place, you would still want to keep an eye on emerging cloud vulnerabilities that may affect your organization, such as the latest AWS cross-account flaw revealed at Blackhat which shows your cloud instances aren’t necessarily isolated from those of the provider’s other customers. As cloud vulnerabilities and security breaches continue to increase, the call for a CVE like system for the cloud is likely to be on the horizon to provide better tracking for the industry.

Even if you don’t handle credit card data, the PCI DSS and CSA guidance still offers a strong security foundation for any cloud deployments.



Find out more about PCI compliance


Looking for anything in particular?

Type your search word here