Cloud-Centric PCI Compliance Demands Cloud-Native Controls

Over the last 15-plus years, the Payment Card Industry Data Security Standard – a.k.a. PCI DSS – has endured as the bellwether of IT security standards. For today’s e-commerce vendors and cloud centric retailers, maintaining alignment with “PCI” remains as relevant as ever, especially given the continued proliferation of threats and diversity of cloud and hybrid environments.

Long before the infosec world was captivated by Ransomware and DevSecOps – let alone GDPR – PCI’s arrival in 2004 set off a firestorm of activity among nearly every form of retailer, from e-commerce companies to essentially anyone processing payment card transactions.

Unlike the less prescriptive data security standards that came before it, including SOX, when the threat of PCI audits – coupled with penalties from both regulators and payment card companies – became a reality in the mid-to-late 2000s, millions of organizations were forced to reinvent their IT security strategies.

In the wake of high profile incidents such as the TJX data breach these regulators asserted that organizations incapable of protecting their sensitive customer data would now be actively penalized, notably with layers of potential fines.

And while the cybersecurity landscape has evolved continuously in the subsequent years, and PCI has been critiqued both for being variably too permissive or overly rigid, the standard soldiers on.

In fact, despite the emergence of GDPR and other more progressive mandates, PCI clearly remains one of the primary vehicles for IT security compliance worldwide.

PCI and the Cloud

What has changed dramatically in recent years is the degree to which shopping and payment applications providers’ use of cloud applications and infrastructure has become a bigger piece of the PCI puzzle.

Today’s retailers have moved quickly to enlist cloud computing in an effort to increase agility and drive down operational overhead. Many retail startups are entirely cloud-native.

As a result, these companies’ security and DevOps teams are tasked with securing customer data across an increasingly complex web of application services and cloud infrastructure, consisting of dynamic, short-lived hosts, and microservices containers.

While there may be no better example of harnessing the flexibility of cloud services than provisioning more computing power to address surging Black Friday demand, the involved security considerations are significant. These systems generate huge volumes of security monitoring data that can be difficult to collect, store, and analyze – especially in a cost-efficient manner.

It’s worth noting that while major CSPs all comply with PCI themselves, the specifics of the shared responsibility model dictate that, as Google notes, customers bear the “responsibility to comply with PCI DSS requirements for operating system packages and apps… in addition to other customizations required by [their] architecture”.

This considerable set of requirements is precisely why so many “modern” cloud-centric retailers are looking for a cloud-native SIEM to help address their current PCI compliance challenges – because they must enlist a SIEM to meet PCI requirements, and they need a cutting edge solution to address their cloud environments, not merely a traditional product adapted to help address the cloud.

Mapping the Logz.io Cloud SIEM to PCI

As Logz.io CTO Jonah Kowall, a former analyst with Gartner, notes, experts including Gartner and the Cloud Native Computing Foundation (CNCF) now specifically advocate for practitioners to adopt cloud-native SIEMs.

This is based on the fact that PCI compliance requires SIEMs that can address dynamic public cloud environments, run on microservices architectures, engage an API-based approach, and support modern software release cycles.

The Logz.io Cloud SIEM is just such a solution, one that directly enables customers to address, validate and monitor key elements of the 12 PCI requirements to:

Implement firewalls to protect data
Appropriate password protection
Protect cardholder data
Encryption of transmitted cardholder data
Utilize antivirus software
Update software and maintain security systems
Restrict access to cardholder data
Unique IDs assigned to those with access to data
Restrict physical access to data
Create and monitor access logs
Test security systems on a regular basis
Create a policy that is documented and that can be followed

Logz.io Cloud SIEM specifically achieves this goal by aggregating security logs, monitoring telemetry data, and generating alerts whenever PCI compliance policies are violated. This is directly supported via integration with other key providers of security and PCI controls, including:

Firewalls (Requirement 1)
Antivirus systems (Requirement 5)
Access logs (Requirement 10)
And Endpoint Detection and Response (EDR) systems (Requirements 3, 7)

The Logz.io solution also comes loaded with numerous customizable dashboards and hundreds of out-of-the-box rules to ease deployment and continuously refine visualization and response. PCI-specific features include extended data retention and dedicated PCI violation monitoring dashboards, along with role-based access to meet the standard’s broader criteria.

We’ve further integrated Cloud SIEM with the increasingly popular, open-source Wazuh intrusion detection system (HIDS) which monitors for PCI-related activities including failed logins and other suspicious behaviors. This technology is free to use, and hence can be deployed by organizations who are open source centric, as is the case with most modern software companies.

As with many of our existing customers, whether your organization has been conforming with PCI for decades or this is your first effort to deploy a SIEM ahead of an audit, Logz.io offers a compelling case for addressing today’s leading compliance challenges – in the cloud.

For more information or to request a free trial, click here.