How PCI QSAs Contribute to Safer Cloud Services
3 min
Can We Combine High Security with Easy Data Access?
Being hacked and having sensitive data exposed is many organisations’ worst nightmare. At the same time, today’s society demands constant data access. Can we have both, high security and data access at our fingertips? The answer is yes.
Let’s take a closer look at the safest security standard in the market, and the people whose mission it is to protect it.
What Is PCI DSS?
The payment card industry has the world’s toughest standard for data security. It is called PCI DSS (Payment Card Industry Data Security Standard) and reaches beyond the world of payment cards.
The standard is designed to protect customers against hackers and unauthorized users, preventing them from stealing valuable card data that businesses store. This security standard is becoming increasingly important as societies become more digitized and consumers move away from cash payments.
PCI DSS covers everything from verifying identity when modifying payment terminals, to encryption requirements for card data, and security demands on data centers handling card information.
PCI DSS Requirements Overview
PCI DSS includes 12 requirements, divided into over 250 controls. Which requirements apply depends on factors such as industry and transaction volume. For example, an e-commerce platform with thousands of daily transactions faces stricter requirements than a business selling one product per month.
The 12 PCI DSS Requirements
- Install and maintain a firewall configuration
- Do not use vendor-supplied default passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data
- Protect systems against malware
- Develop and maintain secure systems and applications
- Restrict access based on business need-to-know
- Identify and authenticate access
- Restrict physical access to cardholder data
- Track and monitor access
- Regularly test security systems
- Maintain an information security policy
The Challenge of PCI DSS Compliance
Becoming PCI DSS certified places high demands on a company’s knowledge of data security. Many organisations struggle to achieve compliance on their own. For this reason, it can be beneficial to use external expertise and purchase IT operations within a PCI DSS-certified environment.
The Role of a QSA (Qualified Security Assessor)
Once a company becomes PCI DSS certified, it must maintain compliance through annual audits. These audits are performed by a Qualified Security Assessor (QSA).
A QSA is a highly trained IT security expert certified by the PCI Security Standards Council. Their role is to validate compliance and ensure ongoing adherence to standards.
They compile a Report on Compliance (RoC), which confirms whether the organisation meets all requirements. This report can be several hundred pages long, detailing every control.
The PCI DSS Certification Process
Once a company becomes PCI DSS certified, it must maintain compliance through annual audits. These audits are performed by a Qualified Security Assessor (QSA).
A QSA is a highly trained IT security expert certified by the PCI Security Standards Council. Their role is to validate compliance and ensure ongoing adherence to standards.
They compile a Report on Compliance (RoC), which confirms whether the organisation meets all requirements. This report can be several hundred pages long, detailing every control.
Defining Scope
The first, and often most important, step is defining what is ”in scope”. Since PCI DSS focuses on card data, organisation must isolate card data and use segmented network.
Gap Analysis
A gap analysis evaluates the organisation’s current position against PCI DSS requirements. It identifies missing controls and required improvements.
Remediation
The organisation must fix all identified issues before moving forward.
Penetration Testing
A penetration test (pentest) simulates a real cyberattack to identify vulnerabilities in servers, systems and external services.
Final Validation and RoC
After fixing vulnerabilities, the QSA performs final validation and delivers the Report on Compliance (RoC). With this, risks are minimized, and the “Knight” moves on to protect the next organisation.