Achieving and maintaining compliance with the Payment Card Industry Data Security Standard (PCI-DSS) can be challenging enough in a traditional network environment. However, organizations that have adopted cloud computing and use a public, private or hybrid cloud environment face more complexity and a dramatically more dynamic environment. You need the right skills, tools and processes to keep up with the pace of PCI compliance in a modern IT infrastructure.
If you process, transmit, or store payment card data, you fall under PCI-DSS. Failure to maintain compliance with the PCI-DSS requirements could result in fines and penalties, or possibly having your merchant status revoked entirely. Yet, according to the 2017 Payment Security Report from Verizon, 45 percent of the companies they examined were not fully compliant.
Sustaining PCI DSS Compliance
To be clear, PCI compliance is not once and done. Achieving compliance for a moment in time — long enough to pass a quarterly audit — is relatively simple, really. The goal of compliance, however, is not passing an audit. The goal of compliance is to sustain continuous protection and avoid costly data breaches at the hands of motivated cyber criminals and skilled adversaries. That takes significantly more effort and vigilance than just passing an audit.
When you’re dealing with PCI compliance in a cloud or hybrid environment, it expands the scope and complexity of the compliance effort. The cloud service provider generally addresses some of the compliance requirements, such as restricting physical access to the hardware, or ensuring the underlying operating system is patched and up to date. Ultimately, though, you are responsible for achieving and sustaining PCI compliance and protecting the cardholder data you’ve been entrusted with. You can’t expect AWS, Microsoft Azure or other cloud service providers to do it for you.
Effective Compliance in the Cloud
There are a number of things you need to do in order to effectively attain and sustain PCI DSS compliance in a cloud environment:
- Perform vulnerability scans of new web applications and workloads as they’re deployed
- Monitor and investigate configuration changes to assess risk
- Ensure web applications are automatically protected as they scale to meet demand
- Centralize and aggregate data for efficient log analysis and archiving
Automation is a key element of keeping up with PCI compliance in a cloud environment. Virtual servers and containers can be spawned or removed in the blink of an eye to meet demand in a scalable cloud environment. For all practical purposes, there is simply no way for human security analysts to execute fast enough to perform all of the tasks and functions necessary to maintain compliance in such a dynamic environment.
PCI compliance is a top priority for Rent-A-Center. The retail chain processes more than 6 million card transactions per year. Rent-A-Center selected Alert Logic to secure its workloads on AWS and help streamline compliance efforts.
Gary Sprague, senior information security manager for Rent-A-Center, explained that using Alert Logic through the AWS Marketplace provides him with cost-effective protection around the clock—the equivalent of six full-time employees. Those resources can now be used more effectively to create better services and experiences and find innovative ways to build the business.