Welcome!

Cloud Security Authors: XebiaLabs Blog, Mehdi Daoudi, Derek Weeks, Liz McMillan, ManageEngine IT Matters

Related Topics: Cloud Security, @CloudExpo

Cloud Security: Blog Feed Post

@CloudExpo | PCI-DSS Encryption Requirements

Significant money is at stake and in need of protection in the Payment Card Industry (PCI)

Significant money is at stake and in need of protection in the Payment Card Industry (PCI). The global payment card industry covers several sectors: banks and financial institutions (acquirers), issuers, processors, service providers, merchants carrying out transactions online and via point of sale terminals in bricks and mortar stores, large and small.

PCI Security
The PCI Security Organization’s Data Security Standard (DSS) applies to your business if you store, process or transmit cardholder data (CHD). The PCI supply chain is not an isolated entity. It needs to protect itself well beyond its own

PCI DSS Encryption Requirements PCI Compliance Cloud Encryption  pcidssencryptionrequirements PCI DSS Encryption Requirements

perimeter fences. This is because business entities also need to protect the billions of people every day that key in their Personal Identity Numbers (PINs) and other personal data as they trade or carry out transactions in store or over the Internet, from fixed and mobile devices using payment cards. Increasingly, commerce takes place via mobile devices over wireless networks, with the card itself rarely being physically present at the store.

As credit and debit cards are used more and more, checks are disappearing in many economies. In a mobile, electronic, global world, the payment card industry continues to grow. In May 2014, for example, £47.1 billion was spent in the United Kingdom on cards of all types (credit and debit), a 7.5% annual growth in spending rates over May 2013, at a time where the country’s economy is a long way from recovery.

It’s not surprising therefore that the payment card industry attracts people of malicious intent.

PCI-DSS Encryption Requirements
In this reality, if your business occupies any of the nodes in the payment card supply chain, you must comply with the 12 core requirements of PCI-DSS to keep perpetrators of payment card fraud at bay. You will need to ensure you have the same levels of protection, and thus of PCI-DSS compliance, in the cloud and in your data centers. In addition, you must make sure that all third-party service providers you use are fully PCI-compliant.

Several of the 12 PCI-DSS requirements are relevant for cloud security. However, on this occasion, we’ll single out those sections of requirement number 3, which relate specifically to the protection of stored cardholder data. As you’ll see below, you can comply with these requirements by using Porticor’s data encryption and cloud key management system.

PCI-DSS Encryption: Requirement 3
Requirement 3.4, for example, states that you must make sure that Primary Account Numbers (PANs) are unreadable, wherever they are stored. Our solution ensures your compliance here thanks to strong hashing (SHA-2) and AES-256 encryption, augmented by robust encryption key management.

You must not tie decryption keys to user accounts, regardless of whether you encrypt at the disk, file- or column-level of the database, nor must you allow access to the cryptographic key by native operating systems. Your compliance is assured on both points with Porticor’s key management algorithm, which by default splits the key. This keeps it independent of the OS, as well as administrators and service providers in your supply chain. In other words, access is limited to very few custodians and, always acting together, rather than any one on their own, ensures your compliance with requirements 3.5.1 and 3.5.2.

With Porticor, you can be sure there are no copies of encryption keys lying around!

To help you fully document and implement all your key management processes, we publish validated protocols and enable our clients’ representatives to review externally validated proofs of strength. Porticor’s smart mechanisms, which support AES 256 and RSA public keys, enable you to generate and securely store cryptographic keys of any length and of all major crypto systems.

Porticor’s Virtual Key Management System, comprised of split keys and homomorphic key encryption, allows you to securely distribute cryptographic keys when you need to, store them securely at all times, and retire, replace or re-encrypt them as and when you deem any of these actions necessary.

The Porticor system never allows manual clear-text key operations or unauthorized cryptographic key substitution, surpassing the needs of requirement 3.6.6. ‘Split knowledge and dual control’ are standard, and again surpass requirement 3.6.7, as our encryption key management does not allow administrators to substitute keys. Key rotation is available out of the box using secure algorithms. Furthermore, any software using the Porticor API can only do so when using keys and tokens that have been securely assigned to authorized security personnel.

Overall, preparation, vigilance, and strong policies will help reduce risk for any business that deals with payment card data.

The post PCI-DSS Encryption Requirements appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the USA and Europe, we work with a variety of customers from emerging startups to Fortune 1000 companies.
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...