Achieving PCI compliance securely through the power of cloud native technology

By Trevor Morgan, product manager at comforte AG

With cloud services introduced and widely marketed over a decade ago, cloud technology usage has accelerated dramatically in recent years, especially within the FinTech industry. What explains this accelerated adoption of cloud services? Enterprises want to leverage the many benefits that cloud migration promises, including increased flexibility, mobility, access, and a clear ROI in terms of cost efficiency. For financial and retail enterprises, one specific compliance requirement is imperative: The Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry (PCI) formed PCI DSS to ensure that any organization which stores, processes, or transmits cardholder data must do so following a consistent industry-accepted standard. This situation reinforces the need for the security, privacy, and visibility of cardholder data (CHD) to be regulated across applications and platforms. But what role does cloud native technology have to play when it comes to compliance?

As we know, businesses want the operational benefits of speed and agility, which provide them with the ability to do more with less and therefore increase their margins. However, these considerations come with additional risks. Many of the data breaches we see and hear about occur as a result of cyberattacks, exposed vulnerabilities, and security misconfigurations. In fact, 94% of organizations have experienced what they call “a serious security issue” in the last 12 months within their container environment. Under PCI DSS, many of these incidents could have resulted in a successful data breach or a non-compliance filing.

Several financial organizations have already moved many of their digital operations either to the cloud or cloud native technologies. Yet, there are distinct differences between cloud and cloud native technologies which must be understood in order to increase success with regulatory and industry standards compliance.

Cloud technology includes on-demand infrastructure, storage, databases, and all kinds of application services provided and delivered via the internet. Organizations will use this technology to store information, programs, and applications instead of relying on a computer hard drive or storage device located on premise.

Cloud native is the architecture for assembling all of the above cloud-based components in a way that is optimized for the cloud environment. Essentially, they are applications and services purposely designed specifically for the cloud and are packaged in containers that are managed by platforms like Kubernetes. These services can be deployed swiftly and to scale across many different environments.

However, challenges from a risk and compliance perspective can arise when shifting to cloud native technology. For instance, within highly dynamic cloud native environments where applications and services could exist for very short periods of time, it can be difficult to define what might be considered a traditional cardholder data environment. Visibility can also be an issue when using cloud native technologies. For example, when you have ephemeral workloads, particularly with containers that contain their own data stores and only exist for short periods of time, the actual presence of data may be transient at best. Some organizations have compared this process to a murder mystery trying to figure out what the nature of the data is, the data relationships, and how they communicate across these transient ecosystems. This can all be tricky, particularly when trying to do things like a forensics investigation for possible data breaches and shortcomings in regulatory compliance. So, how can one secure such data, or monitor its behavior, when there is a clear difficulty maintaining visibility?

The PCI SSC Council has provided materials and clear guidelines on cloud computing, but when using dynamic container environments that are being scaled out across multiple applications and ecosystems, the act of auditing, defining, and securing each system can be extremely difficult.

Add to this the responsibility assumption of data privacy and security between both the data owner and the cloud provider. However, under the PCI shared responsibility model, the data owner must take all of the responsibility in protecting cardholder data and ensuring it meets the requirements for any data transmitted or stored within their applications and databases. If your organization puts the data there, then you are wholly responsible for data privacy and security.

To meet PCI DSS compliance, organizations have to ensure cardholder data is being effectively secured within these containerized environments. Therefore, many decision-makers aim to utilize a data security approach that leverages stateless tokenized architectures which can be seamlessly implemented to meet the PCI DSS requirements. For instance, storing tokens instead of PANs will help to reduce the amount of sensitive data held within these architectures. Furthermore, using container-based tokenization to address PCI DSS requirements around shared responsibility can be extremely beneficial as it can keep up with the agility, changes, and demands of cloud native technology, unlike the more traditional data protection platforms used for such environments.

Cloud native ecosystems have the capability to scale up on-demand or retract when under threat, and they offer new possibilities for approaching and mitigating risk. Fortunately, tokenization security can meet this demand for the data it is protecting within these environments. New cloud native ecosystems will drastically change the approach of the modern retailer and payment processor, but to guarantee PCI DSS compliance and absolute risk reduction, it is still absolutely critical to follow a data-centric security approach rather than more traditional defensive methods.