Related Topics: Cloud Computing, Security Journal, Secure Cloud Computing

Blog Post

PCI DSS 3.0 Deadline Is Upon Us By @Porticor | @CloudExpo [#Cloud]

2014 was a year of cloud security and compliance accomplishments and 2015 will certainly bring new challenges and new successes

2014 was a year of cloud security and compliance accomplishments and 2015 will certainly bring new challenges and new successes.

In 2014, we worked closely with many customers who needed to adhere to HIPAA and PCI DSS compliance requirements. We made sure all bases were covered, data was protected, and compliance was achieved.

Though PCI DSS 3.0 was officially released on November 7, 2013 and became effective on January 1, 2014, its compliance deadline took effect a year later, on January 1, 2015. This infographic explains what you need to know about PCI DSS 3.0.

PCIDSS

The changes from PCI DSS version 2.0 to the new PCI DSS version 3.0 are detailed here.

While PCI 3.0 has the same 12 core requirements as PCI 2.0, PCI 3.0 provides better instruction to Qualified Security Assessors (QSAs) about what to measure and how to determine that an appropriate control is in place. One of the main goals of version 3.0 is to move organizations from compliance to a security approach based on shared responsibility.

PCI 3.0 presents a variety of new requirements including:

  • Password strength and complexity education and flexibility
  • Penetration testing and segmentation
  • Software Development Lifecycle (SDLC) security testing including threat modeling
  • Risk assessments following significant changes to cardholder environments
  • Protecting the terminal (Point of Sale)

In addition to these new requirements, PCI DSS 3.0 offers substantial guidance on “protect stored cardholder data.” This protection takes many forms including Requirement 3.5 that requires companies to ‘document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse’ and ‘store cryptographic keys in the fewest possible locations.’ Requirement 3.6 requires ‘secure cryptographic key storage’ which is generally addressed by encrypting the keys themselves. The guidelines require that the keys used to decrypt encryption keys to be protected as strongly as the encryption keys themselves. Why is this important? Because anyone with access to the keys can decrypt protected data.

The intent of strong cryptography as defined in the PCI DSS Glossary of Terms, Abbreviations and Acronyms is that the encryption be based on an industry-tested and accepted algorithm (such as AES) with strong cryptographic keys and proper key-management practices.

Porticor provides a complete solution for encrypting data and a homomorphic split-key management system that provides the level of security needed to comply with the PCI requirements. It also ensures that no one has access to encryption keys, and that only authorized personnel will have access to metadata such as key names.

The post PCI DSS 3.0 Deadline is Upon Us appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Ariel Dan

Ariel Dan is co-founder and Executive Vice President at Porticor cloud security. Follow him on twitter: @ariel_dan