PCI DSS/API E-Commerce: many fear the standard, some avoid the standard, some cut corners, risk their credibility, reputation and let’s face it … an excruciating fine from the PCI Council, alongside that of the ICO in-line with GDPR. This blog is aimed at those that are taking security seriously and also want to reduce operational, regulatory and compliance costs by moving to a Google Cloud-based strategy. However, I can’t stress the importance that outsourcing aspects of your environment does not a way of transferring responsibility.
Dependent on your companies transaction pasture, those deemed as high-risk, require to engage the services of a QSA (Qualified Security Assessor) to assist in becoming compliant and this can be a painful cost to bear. Organisations are now looking to simplify this process by using a cloud provider to bring a compliant platform for them to build applications and API-driven e-commerce platforms with ease and scalability. Google Cloud Platform can simply put some ease into the process by sharing this burden with you and giving you a compliant infrastructure to build upon, and a clear and concise shared responsibility model, however, it is important to stress that using a third party like GCP requires you to work directly with them and does not remove accountability, it is always important to know your Third-Party Security Assurance information. With all of this in mind, I would always suggest engaging with qualified PCI professionals if you are unsure about your SAQ (Self Assessment Questionnaire) when using cloud services.
It is however vital that GCP customers are aware that any workload built on a compliant cloud environment needs to be compliant itself. Let’s use the analogy of a house: it’s all well and good having the most expensive bricks, a solid metal 9-foot fence surrounding it and the most durable double glazing, but if you leave your front door wide open and a passing thief notices, the rest is pretty pointless. A quick trip to a DIY store to purchase a ladder and someone could walk directly into your home and steal whatever they wish. Now think of the cloud environment being the house and the application is the door. You have a very pointless exercise of adopting a secure cloud environment if someone can infiltrate the application that sits on it. You have yourself a scenario of someone leaving the front door open.
Industry best practice suggests that any environment that stores processes or transmits card data, should be monitored appropriately. This is separate from the obligations for penetration testing and on-going scanning with the appropriate infrastructure and access controls etc. SIEM (security information event management), a solution that can be extremely complex to implement, quite pricey and operationally time-consuming. Google Cloud customers have been able to solve their logging and monitoring needs by utilising a mixture of services from GCP – Stackdriver Monitoring and logging and Big Query being some key solutions. Information is readily available, easy to digest and to report on if the worst case is to happen, take a read at how some GCP customers have benefited from Google Cloud Services on their PCI DSS journey – Oro: How GCP smoothed our path to PCI.
Luckily, Google has provided a number of very useful guidelines for its customers, from looking at how to create a PCI DSS environment in Google Cloud.
If you are facing any of the above difficulties in your cloud/card payment strategy, or unsure how to know your data is secure in Google Cloud, then get in touch with the team here at Netpremacy. We boast countless success stories within this arena and are always available to help. Sign up for our upcoming security event in our Netpremacy HQ in Leeds here.