Cloud PCI DSS Compliance

Supporting PCI DSS with Porticor Virtual Private Data

If your organization stores, processes or transmits credit card data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry-wide framework for protecting customer credit data that is based on proven best practices for network and data security. Protecting cardholder data in your systems and applications is one of the central concerns of PCI DSS and all the more critical when data is stored and processed in the cloud.

Encryption and Compliance in the Cloud

Porticor Virtual Private Data (VPD) is a comprehensive solution that combines strong encryption with patented key management so you can both protect information and maintain compliance in the cloud. Porticor VPD encrypts the entire data layer including virtual disks, databases, files, object storage and more. It also addresses the processes necessary for managing your encryption environment and encryption keys. It provides the strong security needed for compliance in a convenient, cost-effective, fully cloud-based solution.

Protecting Privacy Inside and Out

PCI DSS specifically emphasizes the need to protect encryption keys not only from outside threats, but also from insiders who do not have a “business need to know.” This level of privacy is built into the Porticor solution. Like a Swiss banker offering a traditional safety deposit box, Porticor requires two keys to encrypt or decrypt an object. Each key is encrypted to protect it while it is resident in your cloud account using patent-pending homomorphic key management technology.

With Porticor, you hold a Master Key which is never present in the cloud in a plain, unencrypted form. Therefore you retain control of your encrypted data – without having to install and maintain expensive key management servers on premise. Porticor VPD is the only pure cloud solution where you – and only you – hold the key to your data.

PCI DSS Requirements Checklist

Of the 12 high-level security requirements defined by the PCI DSS council, six address the need for encryption and key management in the cloud. Porticor Virtual Private Data offers a comprehensive solution for complying with these requirements. In addition, Porticor helps you to partially address some of the general requirements.

Requirement

Porticor Solution

1. Install and maintain a firewall configuration to protect cardholder data
N/A
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Porticor proactively supports this requirement by not providing any default settings or credentials for encrypted data storage.
3. Protect stored cardholder data.
Porticor fulfills the central tenet of protecting stored data in the cloud with a complete solution for encrypting data and a cloud key management system offering the strong security needed for compliance.
4. Encrypt transmission of cardholder data across open, public networks.
All data transmission within the Porticor solution is always encrypted.
5. Use and regularly update anti-virus software.
N/A
6. Develop and maintain secure systems and applications.
Porticor includes automatic mechanisms for installing the latest security patches and updates.
7. Restrict access to cardholder data by business need-to-know.
With Porticor’s project approach, no one has access to encryption keys, and only authorized personnel will have access to meta-data such as key names.
8. Assign a unique ID to each person with computer access.
Porticor provides full control over user identity and permissions.
9. Restrict physical access to cardholder data.
N/A
10. Track and monitor all access to network resources and cardholder data.
Porticor provides secure, detailed and configurable logs and audit trail.
11. Regularly test security systems and processes.
N/A
12. Maintain a policy that addresses information security.
N/A

For a more detailed explanation of how Porticor helps you to comply with each of the PCI DSS requirements listed above, download the PCI DSS whitepaper now.