There are Six Steps to Achieving PCI Compliance, seven if you add Appendix for Hosted Environments
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain a Vulnerability Management Program
- Maintain an Information Security Policy
Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, and monitoring of deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.
Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, and electronic discovery requirements. Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.
Incorporate mechanisms into the contract that allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time. Institute a risk management program that is flexible enough to adapt to the continuously evolving and shifting risk landscape.
Understand the underlying technologies the cloud provider uses to provision services, including the implications of the technical controls involved on the security and privacy of the system, with respect to the full lifecycle of the system and for all system components.
Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions.
Understand virtualization and other software isolation techniques that the cloud provider employs, and assess the risks involved. Data Protection Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed and that all operations can be eventually reinstituted in a timely and organized manner.
Understand and negotiate the contract provisions and procedures for incident response required by the organization.