PCI Compliance in the Cloud

Find the balance between cloud autonomy and alignment with the PCI DSS
PCI Compliance in the Cloud 1

Striking the Balance

As more organizations embrace cloud computing, the divide between cloud autonomy and compliance becomes greater. Your organization must achieve a harmonious balance between the dynamic attributes of cloud computing and governance to harness the power of the cloud while maintaining Payment Card Industry (PCI) Data Security Standard (DSS) compliance. Focal Point can help you build a mature governance program that allows your organization to consume cloud resources in a controlled, systematic manner in accordance with the PCI DSS.

Our Approach

With input from industry-recognized frameworks like the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM), our PCI cloud methodology focuses on the automation mechanisms used to consume and deliver cloud resources, rather than just the static-state of on-premise systems hosted in conventional data centers.

Phase One

During Phase 1, the Focal Point team collaborates with you to establish the objectives and scope for this engagement, as well as communication methods and a cadence for status reporting. Following this initial step, we coordinate document and interview requests with your team.

  • Document and Interview Requests
  • Engagement Objectives and Scope
  • Status Reports and Communications

Phase Two

Our team holds both on-site and remote discovery sessions with key stakeholders and subject matter experts within your organization. Following this step, our team builds a current state gap analysis of your cloud environment against the PCI DSS.

As part of this phase, our team also performs validation testing and reviews to determine the adequacy of network segmentation, in accordance with the DSS.

  • Business and Technology Understanding
  • Validation Testing
  • Network Segmentation Review
  • Sampling

Phase Three

In the final phase of this assessment, our team communicates the findings of our analysis to your leadership team, helping you gain executive buy-in for the most immediate risks to your organization.

Following this step, our team can provide remediation testing as needed to ensure critical gaps are adequately addressed.

  • Initial Gap Listing
  • Future-state Recommendations
  • Final Report
  • Remediation Testing (if needed)

Assessment Focus Areas

Software Defined NetworkingThird-Party Risk ManagementConfiguration Management
Management Plane SecurityDetection and ResponseMultitenancy
Automation Script and API SecurityContainer SecurityAccess Security and IAM
Have a question?

Contact Us

Focal Point is excited to take on your biggest data risk challenges. Please complete this short form and we will get in touch with you.

Featured Insights

Recommended reading for those looking to explore the world of cybersecurity.
IT Strategy 1
Resource Pack

Your Toolkit for Securing Remote Access

Focal Point's experts have created a package of strategies, checklists, guides, and tools for securing your remote workforce. If you'd like to access the full resource pack now, head here. Or explore the...
Learn More
What Makes a Good Penetration Test?
Blog

What Makes a Good Penetration Test?

In order to understand what makes a good penetration test, we need to start with the goals of a penetration test. For many organizations, the goal is to simply complete a task and check a box. But better goals...
Learn More
Cloud Security 2
Blog

3 Key Risks Threatening Cloud Security in 2020

Gartner estimates that 99% of cloud security failures through 2025 will be customers’ fault. Customizing cloud systems and applications – a necessary step for many integrations – alters the security of the...
Learn More