Helping Payments Companies Remain PCI-Compliant in the Cloud

By Manish Upasani, head of products, Utimaco [ Join Cybersecurity Insiders ]
100
Nist

The payments technology space has too often lagged when it comes to adapting to new technology and to updating regulations accordingly. One major issue is cloud adoption. While many organizations have increased cloud adoption, there are two primary challenges here. The first is that the cloud has created new risk. The second is that the primary standards body for payments companies hasn’t created an easy on-ramp for compliance when it comes to certain types of cloud-based security technologies that would help with the aforementioned risk.

This has left many companies in something of a conundrum, but fortunately, there are ways around these twin challenges that can help providers remain compliant and secure.

Threats in the cloud

The payments/financial services industry is a major target for bad actors, and that’s not going to change. At the same time, this sector is experiencing massive cloud adoption to process and store data. Cloud solutions empower providers to innovate, expand the business and offer fast services to their customers.

The cloud offers many benefits, but it also brings risks. Attack surfaces increase in proportion to the size of the cloud being used. New attack vectors can arise as a result of these new attack surfaces. Attackers go after cloud platforms, which jeopardizes business uptime. And that can lead to data breaches, data loss and brand damage.

Consequently, financial services and payments providers are duty-bound to create and maintain robust security controls for cloud data. They can successfully create security for this data via approaches that enable users to control – either partially or completely – their sensitive data whether it’s in motion or at rest.

HSMs for the cloud era 

One approach to security is hardware security modules (HSMs). These modules enable key generation, storage and exchange, and can help organizations address security requirements as well as compliance and regulatory mandates like PCI.

However, many traditional HSM providers for the payments sector have been dragging their feet when it comes to the cloud – largely due to concerns about compliance. Historically, the way you operate HSMs is that you need hardware to manage hardware. To manage an HSM, you need to be able to talk to the hardware security modules using smart cards, USB tokens, Public Key Infrastructure (PKI) cards and other security devices and methods.

You also need what’s called a key loading device to be able to authenticate or to load the keys on the HSMs. And if you deviate from this, then you’re not meeting PCI compliance. The Payments Card Industry Security Standards Council – which establishes the standards better known as PCI – doesn’t currently allow a clear path and adoption towards payment HSM in the cloud.

Consider HSM as a Service

What’s ultimately needed is for PCI to come around and create validation standards for cloud-based HSMs for the payments industry. However, regulation and compliance mandates take time to revise, evolve, get approved and become law.

In the shorter term, while the industry waits for PCI to keep up, one workaround is the concept of a payment HSM as a Service. This helps with some of the aforementioned challenges by removing the burden of management from the customers.

What is HSM as a Service? It’s an HSM service based in the cloud that allows users to generate and securely store encryption keys. It eliminates the need to perform set-up, evaluation, upgrades and other maintenance tasks. It also removes the on-premises HSM management requirement, which can lead to major effort and expense.

HSM as a Service comes in a variety of configurations, from dedicated HSMs to those that are partly or fully shared. Key management and other management functions may be included in the service solution, or they may be the customer’s job, performed in another cloud or in the customer’s data center.

While more and more providers are offering HSM as a Service, the usage of these may not always meet certain PCI standards. You’ll need to ask your service provider specifically to ensure what you’re being offered will meet the PCI standards you’re subject to.

Balancing cloud adoption and PCI compliance

Financial services and payments providers have rapidly adopted the cloud but found that current regulations are limited when it comes to how they use certain security technologies in the cloud. While current standards don’t allow for the use of HSMs in the cloud, one workaround is HSM as a Service. This can play a key role in helping providers as they continue their cloud migration journeys and abide by ever-evolving compliance mandates.

Ad

No posts to display