Retail - PCI DSS
Protecting PCI DSS Governed Data in the Cloud
Sector specific data protection and security requirements exist in many countries. For example, in Retail, Payment Card Industry Data Security Standard (PCI DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information. Blue Coat Cloud Data Protection Gateway is used by leading organizations to achieve PCI DSS compliance while moving to the cloud.
PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
All merchants that accept payment cards are required to be compliant with PCI DSS. The PCI DSS requirements (available at https://www.pcisecuritystandards.org/) consist of common sense steps that mirror security best practices.
Related Guidance for the PCI Data Security Standard
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Steps 3 & 4 of the PCI DSS Requirements specify that cardholder data, including Primary Account Number (PAN), cardholder name, and expiration date need to be protected when it is being stored (data “at rest”) or during transmission across public networks (data “in flight”). When cardholder data is stored and processed in the cloud, companies need to ensure they are taking the proper steps to maintain compliance, which can be an extremely complex task.
Adding to the complexity of PCI cloud compliance is the fact that the latest version of PCI DSS does not provide detailed guidance on the concept of virtualization, in which the notions of multi-tenancy and shared responsibility are introduced. Blue Coat Cloud Data Protection Gateway is designed to help enterprises in this situation. Since the platform enables companies to keep their sensitive cardholder information on-premise, they do not need to be concerned about the additional PCI compliance exposure that is introduced by the cloud. This is because the card-related information that is stored and processed in the cloud is either encrypted or tokenized and therefore is undecipherable and unusable if it is ever breached.
Only Blue Coat Can Deliver
Strongest Available Cloud Data Control – No data is shared in “the clear” outside of your network; data is secured at the field-level control based on user defined tokenization or encryption options. Enterprise retains full control of the token vault and/or the encryption keys securing the data.
Only Solution That Supports FIPS 140-2 Encryption While Preserving Cloud Functionality - To preserve application functionality, all other vendors require the use of their own proprietary weakened encryption within their platform solution. Close analysis of their modules and associated certifications reveals that non-compliant algorithms unavailable in FIPS-mode are required to encrypt sensitive data when an enterprise needs to preserve critical cloud functionality.
Only Solution with 3rd Party Audited Tokenization Solution – Blue Coat enables organizations to use well documented and proven tokenization techniques to protect information as an alternative to encryption. The tokenization technique deployed within the platform – which is especially useful for data residency and data sovereignty requirements – has been audited and validated against relevant industry standards by CoalFire Inc, a PCI DSS QSA and a FedRAMP 3PAO.
Doesn’t Tie Support of Cloud Application Functionality to the use of Specific Encryption Techniques – Enterprises value flexibility because nothing is as certain as change. Only Blue Coat lets enterprises change the underlying data protection techniques used within the platform over time – at their own discretion – as they see fit. All other alternatives in the marketplace require the use of specific, unproven techniques in order to preserve cloud application functionality.