Cloud PCI compliance is complex and dynamic, leaving companies with lots to learn.
Startups and small- to medium-sized businesses must take special care to maintain proper payment card industry (PCI) data security standard (DSS) protocols for their cloud applications. However, developing cloud PCI compliance protocols can be costly, labor-intensive, and prone to human error. Here’s what to know about PCI compliance and how to develop a PCI-DSS-compliant application while minimizing costs and development timelines.
What Is Cloud PCI Compliance?
Cloud PCI compliance protocols ensure that consumer cardholder data is processed, stored, and transmitted securely. PCI compliance isn’t law, and is instead enforced by a coalition of credit card companies, the PCI Security Standards Council, which implemented it as the industry standard in the early 2000s. However, if you store, process, or transmit cardholder data, your company is required to meet PCI-DSS standards or be subject to fines of up to $500,000 per incident in the event of a security breach. There are around 300 controls rounding out the list of PCI-DSS requirements. Fortunately, there’s a simplified checklist for understanding cloud PCI compliance requirements broken down into twelve high-level points across five categories:
1. Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
3. Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures
Restrict access to cardholder data by what businesses need to know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
6. Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel.
Following these points as guidelines can help your company meet PCI-DSS standards, though the list is tailored to on-prem applications. Companies with cloud-native applications need to adjust their approach to fully meet the standards for PCI cloud compliance, as copy-pasting on-prem standards can lead to security flaws and fines. But businesses aren’t on their own in their PCI endeavors. There’s a shared responsibility between the cloud service provider (CSP) and their client businesses for PCI-DSS compliance, which can ease the burden on SMBs and startups.
Cloud PCI compliance requirements will also depend on the type of application a business is developing. For example, a CSP will have more PCI-DSS responsibility when hosting a SaaS application, where a business has limited control over user-specific application settings, versus a PaaS, where a business has control over deployed applications or configuration settings for the application. Essentially, businesses are responsible for security in the cloud, the cloud platform provider is responsible for the security of the cloud. The greater the amount of cardholder data, application management, network & firewall configurations, and client data encryption a company handles, the more responsibility it will have when meeting PCI-DSS protocols. CSPs will typically provide a shared responsibility matrix going into more detail about specific obligations.
Want to learn more about how you can achieve all of the above, accelerate your product’s time to compliance, and beat your competitors to market? Check out our free whitepaper on How to Streamline PCI and HIPAA Compliance with DevSecOps Automation.
The Cost of PCI Cloud Compliance
PCI cloud compliance is evolving. The PCI Security Standards Council recently published the PCI Data Security Standard v4.0, which increases the flexibility companies have when developing a cloud PCI compliance framework, while also expanding security standards to emphasize protocols like multi-factor authentication (MFA). The current standard, v3.2.1, will be retired on March 31, 2024, giving companies a few years to learn, implement, and evaluate standards. This is great news for data security, but it will come at a cost for companies. DevSecOps professionals need to be trained, tested, and assessed on their knowledge of PCI-DSS before they can begin developing a solution.
PCI compliance is an ongoing effort, not a one-time development, and the process can burn cash. The national average salary for DevSecOps professionals is $163,122 according to ZipRecruiter, and PCI-DSS requirement 6.4.2 dictates the separation of duties in development/test and production environments. The requirement ensures that no individual has end-to-end control of the PCI-DSS process, so it takes multiple developers to fulfill compliance obligations.
A far greater cost comes from noncompliance, however. High-profile data breach cases, such as the Equifax breach, which could have been prevented had the company followed PCI-DSS guidelines, not only put sensitive consumer data at risk, but also lead to fines and legal fees. For Equifax, the cost of shirking PCI-DSS was a $425 million settlement paid out to consumers, with hundreds of millions of dollars in other legal fees and fines piled on top. And Equifax isn’t alone. Verizon’s 2020 Payment Security Report found that only 27.9% of organizations achieved 100% compliance during their interim compliance validation — a shockingly low number for such an important security standard.
Reducing Cloud PCI Compliance Costs
The cost and time-intensive process of meeting PCI-DSS compliance requirements can be reduced through DevSecOps automation. Such services eliminate the need for specialized DevSecOps professionals, saving small businesses and startups time and resources. Further, The World Economic Forum’s 2022 Global Risks Report states that 95% of cybersecurity issues are due to human error, a risk that automation is often able to eliminate.