To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist (Extract of my presentation in LA, USA, March 2014)

1. PCI-DSS COMPLIANCE ON THE
CLOUD
TO AN EFFICIENT TOOL FOR
SECURING THE CARD DATA ON
THE CLOUD: CLOUD CARD
COMPLIANCE CHECKLIST
@halloussi By Mr. EL ALLOUSSI LA, USA, March 2014

2. 12 PCI DSS requirements
Activities Describing the Requirements
Build and maintain a secure
network.
halloussi@gmail.com
1. Install and maintain a firewall configuration to protect data; this
includes firewall on client.
2. Do not use vendor supplied defaults for system passwords and
other security parameters.
Protect cardholder data. 3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data and sensitive
information across open public networks.
Maintain a vulnerability
management program.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
Implement strong access
control measures.
7. Restrict access to data by business on a needto-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict access to cardholder data.
Regularly monitor and test
networks.
10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an Information
security policy.
12. Maintain a policy that addresses information security.

3. PCI DSS Cloud Computing
Guidelines (2013)
 The responsibilities delineated between the client and the
Cloud Service Provider (CSP) for managing PCI DSS controls
are influenced by a number of variables, including:
 The purpose for which the client is using the cloud service
 The scope of PCI DSS requirements that the client is outsourcing to the
CSP
 The services and system components that the CSP has validated within
its own operations
 The service option that the client has selected to engage the CSP
(IaaS, PaaS or SaaS)
 The scope of any additional services the CSP is providing to proactively
manage the client’s compliance (for example, additional managed
security services)
halloussi@gmail.com

4. PCI DSS Cloud Computing
Guidelines (2013)
 Define Responsibilities such as in the following example:
halloussi@gmail.com

5. PCI DSS Cloud Computing
Guidelines (2013)
 Define Responsibilities such as in the following example:
halloussi@gmail.com

6. Challenges
 Cloud environment need to be aligned with
Card Payment Industry specifications
 Need for tools for auditors, IT professionals
and Card Professional to verify the
environment
 Outsourcing Card Environment is possible by
assuring the convenience and checking
periodically
 We develop an exhaustive Checklist as a tool
halloussi@gmail.com
for auditors

7. Checklist main domains
halloussi@gmail.com
Application and Interface Security
Data security
Network and transport security
Business Continuity
management

8. Network Security: Infrastructure &
Virtualization Security (example and
ControleSpexcifitcartioan ct)PCI DSS Question Expected Testing In
halloussi@gmail.com
place
Not in
place
Target
Date
Network environments
and virtual instances
shall be designed and
configured to restrict and
monitor traffic between
trusted and untrusted
connections, these
configurations shall be
reviewed at least
annually, and supported
by a documented
justification for use for all
allowed services,
protocols, and ports, and
compensating controls.
Does a current network diagram
exists and that it documents all
connections to cardholder data,
including any wireless networks?
 Examine diagram(s)
 Observe network
configurations
Is the network diagram kept
current?
 Interview responsible
personnel
Does the diagram shows all
cardholder data flows across
systems and networks?
Is the diagram kept current and
updated as needed upon changes
to the environment?
 Examine data-flow diagram
 Interview personnel
Do firewall and router
configuration standards include a
description of groups, roles, and
responsibilities for management
of network components?
Are roles and responsibilities are
assigned as documented?
 Interview personnel
responsible for management of
network components

9. Data Security & Information Lifecycle
Management: eCommerce Transactions
(example and extract)
Control Specification PCI DSS Question Expected Testing In
halloussi@gmail.com
place
Not in
place
Target
Date
Data related to
electronic commerce (e-commerce)
that
traverses public
networks shall be
appropriately classified
and protected from
fraudulent activity,
unauthorized disclosure,
or modification in such
a manner to prevent
contract dispute and
compromise of data.
Were Encryption keys changed from
default at installation?
 Interview responsible personnel
 examine supporting
documentation
Are encryption keys changed
anytime anyone with knowledge of
the keys leaves the company or
changes positions?
 Interview responsible personnel
 examine supporting
documentation
Are default passwords/passphrases
on access points are not used?
 Examine vendor documentation
and login to wireless devices
Is firmware on wireless devices
updated to support strong
encryption for authentication over
wireless networks?
Is firmware on wireless devices
updated to support strong
encryption for Transmission over
wireless networks?
 Examine vendor documentation
 Observe wireless configuration
settings
Were other security-related
wireless vendor defaults changed?
 Examine vendor documentation
 Observe wireless configuration
settings

10. Application & Interface Security:
Application Security (example and
extract) Control Specification PCI DSS Question Expected Testing In
halloussi@gmail.com
place
Not
in
place
Target
Date
Applications and
programming
interfaces (APIs)
shall be designed,
developed, deployed
and tested in
accordance with
leading industry
standards (e.g.,
OWASP for web
applications) and
adhere to applicable
legal, statutory, or
regulatory
compliance
obligations.
6.5.a : Are developers required training in
secure coding techniques based on industry
best practices and guidance?
 Review policies and
procedures for training
 Interview personnel
6.5.b : Are developers knowledgeable in
secure coding techniques, including how to
avoid common coding vulnerabilities, and
understanding how sensitive data is handled
in memory?
 Interview personnel
 Examine records of training
Are processes to protect applications from the
following vulnerabilities, in place?
– Are injection flaws addressed by coding
techniques (Modifying meaning of
command and queries or utilizing
parameterized queries)?
 Review policies and
procedures for software-development
 Interview personnel
– Are buffer overflows addressed by coding
techniques (buffer boundaries and
truncating input strings)?
 Review policies and
procedures for software-development
 Interview personnel

11. Business Continuity Management & Operational Resilience:
Datacenter Utilities / Environmental Conditions (example and
extract)
Control Specification PCI DSS Question Expected Testing In
halloussi@gmail.com
place
Not
in
place
Targ
et
Date
Datacenter utilities
services and
environmental conditions
(e.g., water, power,
temperature and
humidity controls,
telecommunications, and
internet connectivity)
shall be secured,
monitored, maintained,
and tested for continual
effectiveness at planned
intervals to ensure
protection from
unauthorized interception
or damage, and designed
with automated fail-over
or other redundancies in
the event of planned or
unplanned disruptions.
Is there physical security controls for
each computer room, data center, and
other physical areas with systems in
the cardholder data environment?
Is access controlled with badge
readers or other devices including
authorized badges and lock and key?
Are they “locked” to prevent
unauthorized use?
 Observe a system
administrator’s attempt to log
into consoles for randomly
selected systems in the
cardholder environment
Are video cameras and/or access
control mechanisms in place to
monitor the entry/exit points to
sensitive areas?
Are video cameras and/or access
control mechanisms protected from
tampering or disabling?

12. Cloud PCI Checklist
Very rich resources for Auditors and Card
professionals
A new norm for Cloud adopters for
checking environment before outsourcing
Card Data
halloussi@gmail.com
12

13. halloussi@gmail.com
Dear auditors:
Contact me for any more
information about the exhaustive
Checklist
@halloussi
fr.slideshare.net/alloussi