Cloud adoption and PCI DSS compliance: strategies and tools to ensure secure payment data storage

let's talk about the cloud and the pcss compliance as now everything is moving into the cloud especially the when it comes to the card data so always PCI comes into the picture so let's explore how let's explore what strategies and the modern tools that makes moving to the cloud safe and easy and ensure your sensitive data is secure and handled properly in the cloud so to give the light on the same I would like to introduce yazad kandya head of security architecture and engineering at the Emirates NBD nitin bataka Regional director of BCI milin mongal information technology and the information security advisor to nsdl parit panchal Chief industry relation and Regulatory officer at Discover financial services and to

moderate this panel delighted to welcome Mr VI Mahi Global Security Aid at the control case so thank you thank you besides for giving the this opportunity and thank you for the audience for being here even after lunch okay so uh to start with uh obviously we are talking about the cloud and pcss compliance so uh if you talked on the cloud so use of the cloud is drastically increased uh in past few years so if you talked about uh few statistics uh in 2020 alone almost uh 64% of the Enterprises have migrated their workloads in the cloud and as of now 2023 uh it is increased to 94% so the use of cloud is drastically increased on

the other side uh pcss compliance right so this is again a comprehensive standards right which is uh mainly designed for securing card data but obviously uh I'm pretty sure you can use it to to secure your sensitive data which may not be card data but other sensitive data okay so uh we'll try to have it as whats interactive so uh from the audience I mean how many of you are in the process of adoption of the cloud or already in the cloud I mean we have only one number okay uh so uh in terms of how many of you are actually handling card data or any kind of sensitive data okay no problem so uh we we uh let me come

back to the panelist so we have a good uh knowledgeable panelist from the industry uh which represent uh the end to endend uh entities of the supply chain right so starting from the top uh we have Mr bhat panchal from discover Financial Services who represents the brands uh then we have nitin bhatnagar uh who represents pcidss or P SSC I would say uh then uh we have Mr mil uh who will talked on the data storage and then uh we have one of the important person in the chain uh Mr yzet uh who represents uh customer and from uh NBD National Bank of Dubai so uh starting with uh Mr yazad uh I would like to just check uh with

you so how has the land Cape of the cloud adaption change in last few years and uh how can organization developed a cloud adoption strategy sorry thank you could you repeat your question again sorry yeah so how has the landscape of the cloud adaption has been changed in the recent few years I I think uh if I look at the the world's landscape um a lot of CTO and cios uh want to go faster and they feel the need then to you know use the Cloud as a platform to roll out faster also I think uh if you look at the way the hypers scalers are moving uh the amount of uh uh features they're

able to provide feature Rich environment right is uh is easy for uh for lots of organizations right for example cognitive services in in uh platforms like Azure right which provide AI so adoption is massive so how can organization actually uh develop with the cloud adaption strategy in terms of pcss compliance so I I would say thatth first you know in this case I am the sufferer of sufferer of the regulations that are thrown upon me uh and of of course I'm just kidding I'm I'm the implementer right so U the strategy has to start I think like my colleague D said uh think always about the basics right you start with the basics and uh I think the prior panel

also mentioned about uh asset identification right so uh when when you're planning a strategy you need to know first of all which asset is handling the PCI Data and you also need to understand uh in in my opinion uh which specific cloud provider will be able to provide you specific controls either a uh natively or B via the marketplace that will allow you to then meet these compliance standards you know sometimes we tend to think it it may be easily available but it may not so it requires comprehensive research uh you know across your Cloud uh Strate uh uh your Cloud uh providers and then you have to pick and choose the right one that has a good

balance so uh Mr Bat if you want to have any insight on this the cloud adaption strategy customer can utilize let me let me just add you know the last panel you know was touching point on the roles and responsibilities and I think let me add one important point on the cloud um uh adoption I think on the PCI uh standards point of view I think the scoping plays a very very important role uh because I think there's always a uh always a confusion or probably a discussion among the stakeholders that we have seen is that you know we talk about what should be the coverage right and when it comes to exclusively for the payment data

probably we are moving on with the card and we talking about the payment data and the standards are evolving so talking on the scoping segmentation plays a very very important role now it's it's very vital to understand your scope first and I'm ring retaing scoping as a world because that is very critical and I'm sure you know you being SSR um you know you're authorized to do these audits for PCI standards and this is what been also been told in the trainings that you know how important this is and how critical is this when you when you have a right scope now if you are not able to size your scope and you are starting implementation

implementing the requirements of the PCI standards uh then it may be a challenge in the long run so having a proper scoping and a segmentation on the card data environment uh or probably the payment data is going to be very very important now uh your second part of the question what was question second so what will be the industry specification considerations uh for this no I think the consideration from the cloud security Third Party U you know cloud service providers definitely the csps you know the you work with I think you need to play a very very important role there as well and uh and with the csps you need to define the roles and

responsibilities very clearly so there's one other myth not the myth I would say it's a conception that they have is that you know when we Outsource this to the third parties that you know it's not uh it's the responsibility of the csps it's not the case so the data that you share with the csps is your data you are the owner for that data and you need to make sure that you are taking care of all due diligence so you're taking care of all third party service providers audits uh whatever that you can think of that is going to safeguard the customer data or the payment data I understand I mean uh the PC DS PC SS actually regularly

publish the advisories also right to guide the things so uh but still I would say there are some myths going on right related the cloud adaption and pcss complain so I would just like to move to uh Mr Bat uh can you just uh help us with the common myths which are around for pcss compliance and Cloud implementation well so in terms of myth there's a number of myth but let me give let me draw an analogy of Hindu mythology in Hindu mythology we believe that there is a God and whenever something is deed we always look up to the sky and there's a cloud and we we have a trust that there is somebody

behind that cloud manage this planet manage this H universe and there is some methodology system is available there upstair there is similar analogy in Cloud also where we believe that you know it it help us to migrate things into cloud and easy you know provisioning de provisioning and along with that we are also transferring our responsibility that the biggest wrong meet what people carry it today because when you putting something in Cloud you are just buying a space to put your data and your control in that you are not you are not migrating your responsibility you not migrating your strategy to the cloud service provider you are just keeping that as a you know the same

second biggest myth is that they since they are in Cloud they are supposed to be more sick there is nothing like that there's no golden bullet security is again is the part of strategy I I heard that the previous panel mam was talking about security by Design I don't know how how many of you know me but um I'm one of the architect of UPI I was a chipis officer of UPI so the way we have rolled it out in today 10 billion 15 billion it's just number for you guys but when we design one of the key consideration was how we can move it in Cloud later on it was I'm talking about 20156 when we launch UPI

but later on the whole story is a reality and that time there was same consideration that okay how we will allow this into Cloud because when it is we are talking about one side P PCI DSS the other side the security control but on top of everything is a huge fund where you are going to transact every day now through that setup how are you going to make it secure today when we design security at least I that security for uh UPI at that time that is giving so much of flexibility that half of or I would say rather more than you know the 70% transaction today is happening the place where the data the entire

application the API everything is in Cloud so you know when you are you thinking about Cloud adoption it is just not you know one one two 3 power bullet you have to think from many many directions many many you know control point of view risk and compliance point of view and just not blindly adopted because when you when you when you adopt something cloud is a technology or Cloud as a solution if you make a mistake in your strategy that is what exactly you're going to migrate in Cloud along with your your product so you have to be very careful when you decide the sty around that thank you thank you sir uh so uh when you talked about the cloud I

mean the AIML right that is something which comes into the picture so how the aim ml will impact on on this strategy and adoption related with the pcss compliance so artificial intelligence is something which we consider as a substitute to Natural intelligence where the natural intelligence is not able to work at a pace we require artificial intelligence to work at a particular speed but one thing we are missing is that artificial intelligence has to be taught it's like again drawing a analogy with the physical world maybe you are able to create a essence of rows overnight but the natural fragance of rows cannot be replaced with the essence of row and that takes time so from the

point of view of a ml it is not a plug and play it is something which needs to learn which needs to create an a dynamic rule book and based on that Dynamic rule book some algorithms would be built and that is how the artificial intelligence would work so according to me if someone is promising that you will have an artificial intelligence ready to plugin engine in your cloud and it will provide you with an near 100% 99.9% or even 90% of accuracy as far as your compliance requirements are con I think uh that is a myth your question yeah so I think if artificial intelligence with machine learning has to be fully mature you have to give it

time and my own assessment that time cannot be 1 month 2 month 3 month it will at least take 6 to 9 months before it can be tested for its accuracy and after a year we will be able to probably say that our artificial engine in combination with the cloud infrastructure for pcidss compliance is XY Z percentage accurate we have to take artificial intelligence and machine learning I algorithms integration with Cloud for PCI compliance with a pinch of salt at present we have to have patience and till such time as we established that neither responsibility nor accountability can be pushed to artificial intelligence or machine learning it will have to be still our responsibility and there's another

variation how do you integrate Ai and ml whether you have taken cloud as an infrastructure as a service or you have taken platform as a service or you have taken software as a service and for all the three the AIML approach will be different because with infrastructure as a service there's a lot of control in your hand you just have the Baseline infrastructure below with platform as a service the control is distributed you have certain controls for your application but you don't have any control over the underlying platform and the cloud service service provider is not going to give you a platform of your choice and the configuration of your choice beyond the point because they

have to maintain uniformity in their own application in their own setup and software as a service is Frankly Speaking you have no control you have to go by the Declaration that the guy is giving so in that the best thing that one can do is check whether the cloud service provider has an PCI DSS Center of Excellence or Practice Group see how many more clients is he catering to comply with this standard if you are the only one in that cloud service provider who is been complying for pcidss I don't think your cloud service provider can give you a very good service but if there are 10 15 20 other customers who need the similar

kind of pcidss compant I am sure the cloud service provider has motivation and wish to establish a separate Practice Group is there a cloud service provider when you go and ask before even you implement your setup gives you a a standard pcss compliance declaration saying that to this extent whether you install anything in my cloud or not I am complained if there is such a cloud service provider it makes sense to go with that cloud service provider even at the cost of giving some premium to him and the third part here is very important and that is if the cloud service doesn't have any such kind of a thing does he have a rmade mapping List look I am not a PCI

idss kind of an expert but I have mapped my security with the requirements of pcidss and this is what I'm going to offer you I think that would make a lot of sense so uh the question is simple but the answer is very meshy yeah definitely definitely sir so uh if you talked about the in-house yeah I just want to add what just Milan said I think at the end of the day what is also important is the responsibility who takes the responsibility see it's very easy than said done you know when you know the cloud service provider has to adore adapt to the standards of PCI and you know PCI is just not one standard

PCA today has 15 data security standards and what standard gets applicable to the cloud service providers is also very critical right so cloud service providers also have softwares right they also have applications what not what exactly that we securing and that's where coming back to my previous answer scoping and segmentation of the payment data is very very critical even for the cloud service providers now talking on uh you know the responsibility wise the the it's for us you know when I look from the top it's the whole responsibility of the client who is hosting or probably sharing that data with the cloud service for so responsibility wise for example I need to store my data with probably why uh

cloud service provider I can't just say that you know okay I have outsourced it to my cloud service provider so the the entire responsibility rise with the CSP no we have to have a share responsibility and I think that's what the previous panel was talking about on the share responsibility and I think it's not at all a gray area definitely because PCI security standard Council has worked beautifully on some great documents that talks about what are the kind of roles and responsibilities that client and a CS should a do in order to make sure that the data is safely secured with the csps now that goes beyond to the penetration testing requirements to the vulnerability assessment and also to the

PCI standard adoption so PCI compliance is just an outcome to one what you're doing as a standard adoption right so as I said you know PC DSS is just not PCS it's it has 15 data security standards and the SSS community and the stakeholders to need to understand and evaluate and review all these standards what is applicable now today everyone come up and say okay I I pcss compliant so this is my piece of paper so for me that piece of paper is not a not a document at all there are two official documents that are considered as uh the official uh checkpoints for that you are adhering to the standards of BCI which is attestation of compliance and report

on compliance you will come up with a piece of paper saying I have a marketing for the marketing gimmick they bring piece of uh certificate very beautiful frame on a wall that's not at all a uh a complan document at all so so the point what I'm just trying to drive for the interest is the standard adoption definitely is going up but we also need to make sure that these standards are adopted with the right intent and with the right approach you know what is required to be adopted should be adopted not anything which is not required and we are just trying to um you know give it back to the industry saying that we

are doing this but I agree what you said is that we have to have a right approach we need to have uh you know positioning well and make sure that everyone plays an equal role in protecting the payment data and ultimately assume accountability who takes the responsibility ability is mine definitely so uh if you talked about the cloud again right I mean the containers and serverless architecture is something uh which really helps cust customer so uh from PC DS's perspective I would like to just uh ask yazad how this uh will impact on the pcss compliance quite a challenge to secure to begin with like nithan said once you scoped it and you've you know what needs to be part of

your CDE uh card data environment and you've identified it there are a few things that you can do to build your uh to build your uh defense and depth and I think the keyword here he used was segmentation segmentation layers right so you start at the host mainly you try and segment and micro segment wherever possible and when you eventually reach the container what you can do is uh you can try strategies like uh namespace isolation right which is which is native two containers and then you can also try uh you know Technologies like uh you know nsgs that are in the cloud or or you can use something like network security policies you know which are which are also

controlling not just your in Ingress but also your ESS traffic right uh sometimes uh you know what happens is in the in the container environment uh you basically strip it down to a level where it's not running with it's running with minimal privileges right so containers are supposed to be Nifty and small so to compensate for that for example you would for instance you know put uh like a fim solution at the host layer right or let's say for example if you can't do any segregation you know via some kind of a subnetting you would for instance do it you know using like a host firewall at the at the at your VM layer so there are various

strategies that you can uh possibly try because you know of the way the because of the way the container works right and I think uh trying to move as close as possible to isolation is uh is is basically trying to kind of you know expand the basic concept of segmentation to uh containers uh quickly uh coming back to milin Sir so uh if we talked about the PCI DSS it it's mainly how you secure your data how you store your data what kind of encryptions you're using everything right so can you just uh share some insight on the base security practices if you are if you would like to have storage in of card data into the cloud

what can be the best security practices to be for so whatever answer I'm going to give I'm actually going to disassociate it with PCI DSS for the time being because of a simple reason that PCI DSS or no PCI the data has to be secured it's a personally identifiable data it's a financially sensitive data so it has to be secur so first and foremost thing is if it is cloud you need to understand how the data is stored uh we have been taught we have been listening reading that once your data goes in Cloud it is of secure you also don't don't know where the data is so where the question of others coming to know and if others are not

going to know it is safe because you know if I know you have 1 lakh rupees in your pocket You're vulnerable but if I don't know how much money you have in your pocket you are safe because it is obse secure but that's not the case here it is very important to identify how the data is stored if it is distributed across the various storage is at least you need to know the approach of it that is where the data security starts being aware of where the data is as he said the scoping part of it you can't leave it once the data is gone to the cloud I don't have to worry because two bytes

will be here and two bytes will be there so there's no way how someone can put them together that is not the case you need to be very clear with the cloud service providers to where my data is going to be uh each cloud service provider has his own way like AWS gives you as three bucket and gcp has its own way and azour looks at it differently if you go to some uh proprietary cloud service provider which have also mushroomed a lot lot in our country they will have a different way they will actually mix and merge multiple approaches so knowing that is very important the second thing is that the data storage is not the only place where

it needs to be protected the data is going to be on the memory and in the previous panel someone said that uh the memory itself is also vulnerable and that's the reason why uh in iot they said that the Loc code has to move to the higher level so memory has to be protected now you can't encrypt the data in the memory and use it the data in memory will be decrypted so you need to create some kind of in know boundary some kind of a protection wall within the memory so that the data doesn't go out of that particular thing or you OB obscure it by moving that to some other address which only your application

knows and the third thing is definitely the data in motion which is in network so everyone will say SSL SSL SSL but remember the data moving from the memory to the storage through a bus is also something which can be tapped and it is because the motive is not so strong there is no such data which can have such a strong motive that's why there have not been many cases but technically it is proven that the data can be captured from that particular internal network of your infrastructure so from that point of view I think it is necessary to adopt an approach there's no one size fit all because it will all depend on it's a very costly Affair if

youve got to encrypt on the disk using the disk encryptor it is very cheap but when you try to encrypt in the database it becomes costlier and when you apply a proprietary encryption on it it still becomes costlier so you've got to figure out what is your risk appetite and where is it that you would like to encrypt it you know I think one more thing we can add is that in the cloud it's important for you to manage your own Keys yeah uh so you have to convince you have to use uh hold your own key Concepts right keep your key with you as much as possible that has the potential of at least

somehow uh mitigating the risk when it comes to encryption yeah because the keys are compromised then it's it's game over so since since we are talking about uh data storage I would like to come to uh Barat sir so uh the data local if or the organization is globally providing the services right the data localization is something where they suffer usually uh considering different regions and all so uh considering the international laws and regulation how those will impact on the uh Cloud adoption and uh the pcss compliance so I would disagree with your word that the organization suffered it wasn't it was needed because any any new innovation comes naturally when people those who are Innovation they would

think all possible ways to build the build the thing but the same time the other side of people they want to break it and therefore the Bic Act is required so data localization is I think it is one of the greatest step taken by the regulator here in India that data India is the the most data reach country in the world we unfortunately we are into the data colonization world today and at least after this dpdb 2023 we are probably in good shape but when it come to a regulation it respect to PCI or any other regulation or standard they are standard they are not regulation it is it is subset it is a discretion of Mind

in data localization or uh you know data protection or any other law we can't take a discreption right it is it is a mandate and you have to Implement those control and I think in in especially the part of cloud when it was came as a buzz word few almost a decade ago people found that is easy way for reducing investment but later on the compliance cost increased and it was I would say it was a legitimate requirement from the security point of view because you know when when you are in single compartment or single isolated environment though there's a risk but the risk of uh you know getting attack is much lower compared to when you are in multi sto

building and that is what exactly the cloud is so when it come to our you know beating gdpr on data production law of India and many other regulation worldwide there is a clear consideration given from the regulative point of that what kind of control has to be implemented in Cloud environment data loation is one part but in addition to that RBI has come up with multiple guideline on cloud service provider when you adopt as a part of the Outsourcing guideline it household Outsource guideline there is a clear chapter about how what control you may have to add when you ad up for cloud techn cloud environment so all net net you know in my view the the

control requirement is much much stringent and it is going to be more stringent because you know half of or mostly of people know that it 2000 or 2008 is almost obsolete that act does not talk even about internet forget about Cloud but there's a new law coming Dia digital India act that laot of deliberation is going on and I can guarantee you that that you will find the most toughest law ever ever built in India and especially I would say it is a blessing that the government and the regulator are designing such a stringent law securing our it and data so you know let's be prepared for better regulation more stringent control and envirment so

everything is happening for the good right yeah yeah sure I mean we need to be prepared for that whatever government regulations are asking us to follow as a customer as well as the regular body no because you know why I'm saying the your original question about the people suffer data localization I was the man who drive entire industry for localization compliance and many people were asked not to be on boarded but it was readed because when see when you are reping Cloud I should know that where your data is it may be 1 2 3 or 100 server but at least the cloud end somewhere on the earth corre isn't it some there is one uh you know definite

longitude latitude for that server wherever physically is available and unless until you prove that data does not leave the boundary of our country that's good enough and that is what yeah is is needed corre and that is what obviously all the regulations are looking for uh considering the security of data so uh coming to milen sir uh so uh from the cloud adoption perspective and the pcss perspective uh what are the future Trends uh which could pose a new challenges apart from Bly uh uh sir say it right so uh as I see people are adopting blockchain people are adopting low code no code kind of development platforms and people are adopting a child development de cop and all these thing

and these will come in in the payment industry also they will not continue to operate with the traditional way of software development promoting release and all that so that is where I think there is going to be a challenge with regards to how do you comply with the PCS either PCS is version 4 which is due to come early next year may have considered all these things I unfortunately have not got a glimpse of it may have considered all these things and if it is considering all these things then uh it's better but if it is if the version 4 is going to be the same as what we are using today I think there

will be a big disconnect between the technology being used for the applications and the compliance by pcss and that is going to be one of the biggest challenge apart from that I don't see any other challenge because one thing is very clear even ISO 27,1 ISO body has also realize that uh their standards have to be more generic so PCI also realizes that standard has to be more generic it is for us to interpret and Implement like I was just uh glancing through the standards yesterday they still use the word antivirus antivirus who uses antivirus nowadays but the standard says you need to have an antivirus so if a new organization has an antivirus they are

complying with the standard but what about the security so I think interpretation is necessary when they say antiviral meaning whatever is required to protect your setup from all these kind of malicious intended software and then XTR EDR whatever you would like to implement so these are the kind of challenges interpretation is one and the advanced technology adoption is the other yeah so I think pcss 4.0 has already covered most of the things uh considering the uh uh dat uh local regulations from the local bodies right how the PCS PCS is looking to incorporate such things and ensuring uh they are complying with the local bodies as well see we don't need to comply with the any any local bodies but see our

role is very simple is to create a lot of Education awareness around the standards how these standards are going to be best fitted by the organizations to meet the requirements and the best practices to protect the payment data that's a very simple theme on PC security standard console works now having said that you know we always look forward to the feedbacks from the industry and uh I'm sure you know those who are associated with the conso I think bat knows it we have a RFC which is a request for comment process for various standards that we have and we call for the feedback from the industry to make these standards more robust and aligned to the industry requirements

both Regional and international so these standards are Global in nature you can we cannot just classify them on a domestic standard or International standard it's a global standard one standard which is required to be adopted by the by the industry as at large so that's what we do and that's what our role is and we wanted to make sure that industry come forward and contribute and you know join hands together with the conso to make sure that these standards are getting influenced from the region specifics so so that's what I think uh as a PC security standard Cil we trying to do over bit thank thank you Nathan so one last question and we'll just stop

this so uh if you would like to give one piece of advice uh to all the cursors who are in the process of adoption uh and uh being a PC adss complain so what will be that advice in one line I would say whatever we told just forget and do whatever is best for you I think you say this but you know the the advice is something like that you know uh here in India is very funny example and I must uh share because I'm from I'm also from Amad I have seen people driving here so what we do when we ride a bike and we see police follow this set the signal so we immediately pull out our helmet put

it here and cross the signal and next immediately we'll put it back this is not you should do in security it is helmet is not to show the police Wala it is not me for compliance it is for your security so please differentiate between the compliance and real need of security I think well said and most importantly in fact yeah I think uh the standards require you to do VA once in a year quarter no it's a quarterly quarterly and obviously being 4.0 it would be an authenticated scanning so according to me I think see most uh what you do is that get understanding on these standards first before you actually jump on the implementation get a proper

understanding on these standards what standards that you are trying to adopt and what is the final outcome from adopting these standards are going to be I think that's very very critical so I would add that once you understood the standards uh I would say that uh do two things first go deep go really deep into understanding your architecture and how you're going to implement it and also go wide so depth and breadth are equally important because uh the cloud has so many options available for you you can kind of lose track of where your data is right so that's what I would say so yeah be comprehensive thank you thank you a so we'll just quickly open for any

questions from the audience hello sir uh sir so I have just begin my career as information security analyst and I'm in a fintech company where I'm placed in health and compliance department and currently uh we are dealing with PCI Data so as a beginner what advice would you give me as to how can I grow and make my career in PCI Data compliance particularly with the cloud in our I think nin is the correct person to answer that see I think um when it comes to the PCI standards I think first and foremost thing you should read these standards reading these standards is very very critical and if you want to really um build up your carrier in information

security and that to specifically in the standards like PCI you should take up some kind of trainings which PCI offers in terms of uh the payment um uh card industry professional which gives you a basic understanding on what PCI is all about right and I think that's the starting point now I don't want to overburden you with lot of things that I can talk here but start with Basics I think you will find your own way very immediately thank you sir and psychologically you treat yourself independent you're not here to make friends when you're dealing in risk and information security there a fundamental thing I don't have friends really then Only You Can Be succeed in

as a RIS Co security professional thank you sir any other question okay I think uh thank you thank thanks thanks for all the panelists let's have a round of applause for them for sharing the Insight yeah thank you thank you very much