We recently worked with a client to build a PCI compliant infrastructure in the cloud. Here are some key takeaways from that experience. Becoming PCI compliant is often perceived as a daunting task, as there are approximately 200 requirements that an organization needs to adhere to. However, just like Pareto’s 80-20 principle, here are some of the main tasks that can catapult into your organization into becoming PCI compliant.
Procedures over Policies:
Updating your security policies with PCI mandated requirements are one thing, but getting your development team to follow Secure SDLC or your IT team to create tickets and follow the change management process is another thing. Becoming PCI compliant requires a shift in mindset for everyone in the organization.
Restricting Scope for CDE
PCI has stringent security requirements, but it applies only to the Cardholder Environment (CDE). Create an updated Data flow diagram to contain only the CDE systems and eliminate everything else from the PCI scope.
Centralized logging and Monitoring
Logging and Monitoring is a time consuming and expensive process but did you know there are open source solutions e.g. Wazuh that can provide the same functionality for a fraction of the cost.
Restricting Access to & from the PCI environment.
The PCI environment contains sensitive financial information of your customers. Restrict user access to PCI environment, mask or tokenize credit card data and absolutely block all unnecessary network access especially to and from the Internet.
Review what services are running on your PCI servers and harden your systems by removing unnecessary services and insecure protocols. Encrypt all data at transit and in rest.
PCI controls are essentially technical in nature, which means you can reuse these controls on your way to becoming HIPAA, SOC2, ISO 27001 compliant as well. Careful Security is here to help!