Security Compliance Corner: An Interview With Our PCI Subject Matter Expert

Welcome to the security compliance corner. We have an interview with our PCI subject matter expert today So welcome.

My name is Rebecca Rogers I am a manager on our security team and I manage our security compliance certifications And we have Jacob Zollinger here today if you want to do a quick introduction.

Yeah, so I'm Jacob Zollinger I'm also on our security compliance team And I am a security compliance specialist really focusing on our PCI compliance program here Great.

Yeah, and so our day-to-day here at Cloudflare is really just to maintain our security compliance certifications And ultimately this is to adhere to security industry standards and to maintain and earn our customers trust So if you'd like to know a little bit more about all the different certifications that our team Maintains you can go to Cloudflare.com forward slash compliance but today though we have Jacob here who's our PCI compliance expert as I said and We're gonna do a dive into Jacob's background and a little bit more about PCI at Cloudflare So Jacob if you want to kind of just kick us off I'd love if you could start us off by just giving us a little bit of background on what PCI compliance is Definitely yeah, so great question I'm just gonna start off because in compliance we'll get to this in a bit too, but we love an acronym So PCI stands for payment card industry So in 2006 members of the PCI or payment card industry Security Standards Council Came together to create the PCI DSS which stands for data security standard which helps payment processors financial institutions And merchants protect their payment systems from breaches and theft of different cardholder data So that the members of the payment card council and you're kind of big names You've heard before they include MasterCard discover visa JCB International and American Express nice Great.

So, thank you. I think one of the things you said is we we in compliance we love an acronym and there's definitely no shortage of acronyms in in PCI compliance, so Kind of dive into the meat here I'd love if you could kind of just touch upon those acronyms and what and define those and tell us what they mean I think that'd be helpful Definitely.

So I've already started with two. So PCI again is payment card industry PCI DSS is the payment card industry data security standard DSS are all the different requirements you may hear about from compliant folks Maybe at your organization or auditors you may work with some other couple things to understand CDE which stands for cardholder data environment which is the scope of where your PCI compliance is where and it's where any cardholder data is stored transferred or Processed so that's that's one of them Outcomes of a PCI compliance assessment will include several different documents Those will be in ROC which stands for a report on compliance, which has all the details of your PCI audit diagrams You know interviews with all the different security and business stakeholders and then there's also an AOC Which is an attestation on compliance that stands.

This is more informal more of a summary of how Cardholder data is pushed through your environment And may be stored or transmitted This is what as a customer of Cloudflare you would request a copy of our AOC and validate that we are in fact PCI certified Along with an AOC that we may provide you is also what's called a responsibilities matrix, which isn't an acronym but I still like to touch on it because it's important and it helps to show the All the different requirements a customer is responsible for and then also what a service provider such as Cloudflare is responsible for the last two I'll touch on are CHD which stands for cardholder data and PAN or PAN and that stands for payment account number.

So Which is like the 16-digit code on a on a credit card Cardholder data can include that 16-digit PAN.

It can include the CCV code on the back of your card Which is usually like a three digit code three or four digit code also the expiration date and everything like that Great.

Yeah. Thank you. I think that was Great to just level set before we get in the meat of this.

Thank you But yeah before we you know dive into to PCI and PCI at Cloudflare, I'd love to know a little bit more about you and Here at Cloudflare.

Actually, we we love to do fun facts with it all of our new hires And you know, you're you're not a new hire But I'd love to hear your fun fact and then a little bit of background on on you Sure, actually the fun fact leads nicely in with PCI compliance because it was related to my last role So I'll give my fun fact first before I get into my background To protect the anonymity of my previous clients I have been to over 200 unique locations of a certain fast-food restaurant, but have never ate at a single one of them So kind of a unique thing, but to dive more into my past role I went to college was in the business school at the University of Arizona bear down Wildcats if anyone's out there Where I studied MIS management information systems And I first got a job at a consulting firm out of school doing internal audit work with Sarbanes Oxley compliance Which is more financial regulation work But I was always IT focused and I knew since a long time that I wanted to get into security in some sort of capacity So after working in an internal audit group for a while I was eventually able to bridge into the security and privacy practice at my firm and there was a call and the need for PCI QSAs and here's another acronym QSA stands for qualified security assessor Which is the people that conduct your PCI audit.

So when that happened, I I had enough experience and was able to Become and be certified as a QSA and was actually writing the report on compliance and attestations on compliance for several organizations So I mostly focused on clients in Like food service and retail and banking really had a lot of different industry experience Nice, that's great.

Yeah, we're definitely here at Clubflair. We're very fortunate to have your QSA background.

It's been so helpful And kind of diving in into your background and the various other industries that you've been in, you know Translating that to you know, the tech scene and if you could kind of touch upon why is PCI compliance so important for companies?

It's like Clubflair Definitely.

So PCI compliance is really important for companies and of course also for consumers if you ever want to give you know Pay for something with a payment card like a credit card or debit card You want to make sure that your information is being securely stored and that people aren't just charging random things to your accounts So it's really important Especially and at Clubflair and a lot of other companies because it gives us an ability to establish trust with our customers That a certain part of their data is going to be stored and processed and transmitted securely and appropriately it's also really important for Clubflair because When you can give your payment card information to us if you have a paid plan through our Clubflair dash But we also offer products that can help you achieve your own PCI compliance So I won't dive into that too much yet But it's a really important thing for us to validate that you can trust our products and have a certain standard of security So as I kind of mentioned, you know There's two ways we look at it at Clubflair and there are many different types of ways you can be PCI certified depending on your role as a Payment processor or you have to supply actual the card reader machines Like in a you know food service area or the retail place But at Clubflair the two types that we focus on our merchant and service provider So merchant means kind of what you think it means it is meaning that we accept payment cards in a secure and appropriate way and Then service provider like I was saying is we offer products that can help you achieve your PCI Compliance so and that's really beneficial for you for our customers because it helps take some of the compliance burden off of you and also Helps your customers customers ensure that their payment card data is appropriately managed Yeah, that's great.

Yeah Going through the the service provider environment. It's been a really interesting and important on it to go through and that process has been really great Yeah, and since you've joined the the Cloudflare team We've been able to add some really awesome products into our service provider scope So I was hoping you could just talk about even you know, a few of those products that we offer that help our customers Maintain their PCI compliance.

Yeah, definitely. So I think just to even give a little bit of history with PCI at Cloudflare I think it was 2015 was the first year that Cloudflare became PCI certified and had a PCI certified product The first first product I'll talk about is the WAF, which is the one that has been certified the longest So it's your web application firewall I think the WAF is really helpful for a lot of our customers because it ties Directly to a PCI DSS requirement, which is six dot six So we can help our customers meet the WAF requirement in the DSS As long as you make sure that you're have the OWASP managed rule set enabled and that our customers also do some Tuning and use some of the Cloudflare specials or additional rules in the environment just to make sure that you're you know Protecting your web applications appropriately and of course all of this if your customer is spelled out in our responsibilities matrix Great.

Yeah.

Thank you. Yeah, so you touched a bit a bit upon The WAF which has been one of the one of the products we've had since our initial PCI certification Maybe if you don't mind walking us through Another product maybe and how our customers can use that product to become PCI compliant I'm curious specifically maybe about Cloudflare access if you could talk about how our customers can use that Yeah, definitely So this year that I came on we actually added several new products to our scope that included Cloudflare access Our content delivery network or CDN and then our time service, which are PCI compliant solutions.

So it's really important that That we communicate this because it was a big change in our scope for the time so to kind of highlight on access Accesses you may have seen if you follow the Cloudflare blog is really changing the game and your relationship with your corporate VPN a Lot of organizations in order to help reduce the scope of their environment and to help reduce the impact of their PCI compliance obligation is they'll add network segmentation and what Cloudflare access does it helps you provide means for another way to Segment your network using Cloudflare's global VPN to access internal resources to your org So something you might want to consider if you decide to use access as part of your cardholder data Environment is just make sure it's configured to timeout after 15 minutes of inactivity, which will help you meet requirement 8.1.8 Okay, great.

Thank you. Yeah, and sorry I I forgot about our time service, which is another awesome product that we brought into the PCI scope last year So if you don't mind touching upon our time service, it's a little bit of a unique product that we brought into scope So I'd love to you know get more insight into that product Yeah, definitely.

So our time service is pretty good. It's I mean, we're not pretty good It's really good.

And I think it's really interesting that that Cloudflare created their own it's a pretty unique offering and we typically don't think of a lot of Different kinds of time services out of outside of like large organizations like out of NIST You know Apple has their own Microsoft has their own but it was a cool initiative That's been pushed by our cryptographic research team here at Cloudflare So it was announced actually in 2019 that we have our own NTP service if you want to learn more about it You can go to time .Cloudflare.com and also you can set your servers if you want to use this service To reference time.Cloudflare.com but it's an NTP service the benefits of using our time service is because it relies on our CDN and global network to provide an advantage of latency and accuracy with with time Out of our 200 plus data centers around the world where we operate We use our Anycast routing to route the packets closest to the user That's actually accessing it and all of our servers are synchronized with a stratum one time provider So it just allows for a little bit more accurate type of service here I find it really really neat too because it is a free service So, you know anyone can go and use it now and it really helps tie back to requirements in The PCI requirement number 10.4 specifically in 10.4.3 You can use this to help support as a secondary time service or as your primary time service and it's important Not only for PCI to have accurate timing throughout your organizations But especially important for any of your logging functionality and ability to respond and do incident investigation Great.

Yeah, I'm very excited about that addition to our to our scope and then finally if There's anything maybe that you want to add about our CDN Which doesn't from my understanding doesn't meet a specific requirement for PCI But it is still something I think that's really helpful to highlight Yeah so the reason we decided to scope in our CDN this year is just because it's an important part kind of holds the glue together For how we deliver all of our products to our customers and how people interact with Cloudflare on a daily basis So it was scoped in has been fully PCI You know certified and all that and something else that I wanted to add in that's not necessarily a specific product But something as well that we offer within our dash that can help Organizations with their own PCI compliance is you have the ability to configure the levels of TLS used when interacting with Cloudflare At a minimum you can set it to you know 1.2 and above but we also even offer the configuration in your dash to accept TLS version 1.3 and That will help you meet PCI requirement 4.1 Awesome, thank you.

Yeah So I think It was great to highlight upon, you know, our products and then specifically what requirements that these products meet taking a step back I'd love to hear from your own words, you know more broadly What has the audit process for PCI looked like here and you know, if you can provide any perspective, that'd be great Definitely so just as anyone who's ever been through a PCI audit before may know it's just a lot It's usually a pretty big undertaking and a substantial Amount of time and resources that are dedicated to it every single year for any kind of organization And so when I first came on last year We were just kind of getting ready to start spinning up our PCI assessment and start working with our auditors and stakeholders To give you an idea here at Cloudflare It takes about three months to go from start to end For you know The initial interviews and getting it all started all the way through to receiving our final reports and updated reports for the new year So typically the process follows a standard audit procedure.

You'll interview some key business and security stakeholders They do that for usually a two to three weeks There may be some data center site visits included in there because we have data centers like all over the world Which is really cool.

I got to go I think I got to go to Canada last year and never been able to go there before and we had some other Other co-workers that did some in Europe.

So that was kind of fun In our walkthroughs and then additionally after our auditors collect documentation To help prove that we are doing what we say we're doing and that we're also doing what is required in the PCI DSS so It it's a kind of a laborious process, you know on us but even especially for the auditor to get the report completed So after they've gone through they validated all the evidence compared it with the interview notes and validated it all matches up to the DSS standards Then we'll receive our you know, ROC and AOC updated for the next year Awesome.

That's great. And something I just thought about Is our PCI scope and you know, we've talked a bit about the products in scope, but Maybe if you can, you know highlight the various different customers that are in scope for PCI Because we have different tiers.

I think that would be really helpful Yeah, definitely So I think what what is probably the hardest of any PCI assessment in addition to even doing the physical audit work is the scoping Process because it can be really all-encompassing Depending on what touches your CDE and how it interacts with your environment So scoping just generally at Cloudflare is kind of a continuous ongoing process.

We are always evaluating what Different products should come into scope what different products are in scope how they can relate back to a use case for our customers to be included And we're always continuously evaluating Changes to our environment and how that may affect our PCI scope here.

But for the purposes of our customers It's important to note that we have our business and enterprise customers that are covered under our ROC and under our AOC And it also excludes our China network So everywhere else outside of China and then the top two tiers of our customers are what is included under our PCI scope Okay, great.

Yeah. Thank you. I think that's a great distinction for everyone Yeah, and then also just to highlight again to all the products that are that are covered under it right now So that includes our WAF Cloudflare access our CDN or content delivery network and our time service great Taking another step back, you know even beyond PCI I'd love to hear is there anything that you're excited about I guess specific to PCI and Cloudflare in the future Yeah, so this has been a really atypical environment that for me to work in something It's been really different than my past experiences that I've really enjoyed Cloudflare does not you I mean be used of course traditional products and all that but they're used in such a You know innovative and unique way I've been really exposed to a lot of cutting-edge Technologies that a lot of the regulatory bodies and standards don't typically account for so it's been really fun You run away for me to be creative and really figure out how we can implement and match our compliance objectives when you were using state-of -the-art technology So that's been really fun for me Something that I'm excited about is we ship new features and new products all the time.

There's always something new coming out So being able to work with some of our emerging technology teams Being able to understand what product features are up and coming is really helpful We just had it we do, you know quarterly big kickoffs that announce our goals for the quarter And I was scouring through a couple days ago you know when we had it trying to identify all the changes that are going to be happening this year and how We can add different functionality in our existing PCI products that will better serve our customers So I think that's been really really good and fun for me Yeah, that's awesome.

Yeah, it's great to see Yeah, how plugged in we can be with other teams and and being plugged in we can Identify, you know ways to better our audits whether it's PCI or or something else Yeah, and I think to it really interesting about our team structure, which may be different than some other organizations So, you know Our security compliance team is actually embedded within our security team which is different than some other organizations where your compliance function will be bubbled up under finance or under legal or any other Number of places and I think it's given us a really good Perspective to help monitor change and we have a really great collaborative spirit I think with the rest of the security teams So in addition to me making sure and keeping my eyes open for anything that's happening and changing in our environment We're also work really collaboratively Collaboratively with the rest of our security team.

Yeah, that's a great point Great so another PCI specific question that you know, I Would love to hear from you is in October of 2019 The PCI cannot counsel announced that they were going to be accepting comments on a on a new version of PCI DSS Mm-hmm.

Oh, I Believe we're on 3.2 right now. What are your expect expectations for moving towards PCI?

Version 4. What do you think will change in in the standard?

And what would you like to see change? Several questions, but yeah, I don't kind of several questions in there, but it's it's I mean, I think it's pretty exciting I remember when we went from PCI 3.2 to version 3.2 .1, which is the current version we're on now and just kind of the changes that happened new control wording for maybe existing controls to Just create more clarity and then of course new controls have added in entirely So version 4 I think is going to be kind of set a gold standard for how a lot of security Certifications and frameworks are going to be laid out what I'm most excited for and this is based off a blog post that the council Posted I think in late October of last year about what we can expect is that we're gonna be right now PCI is so specific with here is exactly what you need To do to meet each requirement which from an auditor perspective and from a lot of organizations perspective can be Helpful at times and really really frustrating other times Right now if you cannot meet a specific requirement you have to get sign off from your QSA That a compensating control is in place that help will help mitigate the same risk that the requirement is trying to meet so what the standard is going to be moving to allegedly is More from linking of control requirements to more of linking to security objectives So I think it's going to be Really beneficial for all kinds of environments, but for especially environments like Cloudflare Which is a little bit more atypical than other other, you know standard retail food service banking more more industry established environments are I think the change from from moving from more specific like control linkings to security objectives is going to put more of the responsibility on the organization and also on the QSA is to really make sure that they understand the risks posed to your environment as related to cardholder data and your CD and Also to make sure that they really understand exactly how the environments work.

So I think that's going to be a good Exercise and it's really going to require Organizations to get a lot closer with their QSAs as they go through And really make sure that they have a very clear understanding of how their environment is to be scoped So one of the questions you also mentioned into there is like, you know, what do I think will change?

What would I like to see change?

so One of the one of the things I think will change Of course are some of the objectives The PCI DSS has always been pretty agnostic towards the type of technologies that are included in there They don't really focus.

You know, this is how you need to do cloud technology specifically or how you need to do You know regular, you know server or virtualization Technology and how you need to make it comply with the standard so I think we'll see some more of that but what I'm hoping to see are more of the FAQs developed by the council and maybe even linkages to that within the DSS as we have different kinds of environments and different threats to cardholder data now, I also personally Would love to see a revamp of requirement 8 which focuses a lot on user access and authentication mechanisms something that has been a cloud for that we've discussed a lot in our security team is The password requirements and how you know, it's kind of more insecure to change your password more frequently and have You know, maybe shorter passwords with more complexity built in versus having longer passphrases So I'm hoping that that is a place that the new Version of the standard will go and I think it'll align really nicely with Cloudflare security posture Yeah, yeah, that's great There's a lot yeah a lot to your answer there and I think what I'm you know I'm what I've seen with PCI is it's a very prescriptive You know Standard and it's it's also what you're saying is it's hard to be prescriptive without taking it into account the industry that you're you know Working in or the environment Yeah.

Yeah, I think it'd be really great if the council would give some more guidance on some of the orchestration technologies that are being you know pretty popular related to containerization, so If you're a council if you're listening Maybe consider that Great.

Um, well, yeah, so thinking beyond PCI. I'd love to hear from you.

What are you? Excited about for your career at Cloudflare. Yeah, PCI related or not.

I'd love to know Yeah so I think even more generally speaking so you while a big responsibility of mine and definitely a Sole focus on mine for a good portion of the years at PCI I also work on you know, the security compliance team and we truly are a team We have privacy specialists and other folks that really focus on some of our other Certifications we have such as ISO and SOC 2 So I would like to I've been getting a lot more involved with those other Certifications as well, which just helps round out more of the compliance experience here as well As we're getting a lot more into regulatory requirements in other countries as we continue to grow and expand our service offerings Which is a side of compliance that I've never had the opportunity To be involved with and that is pretty exciting for us Additionally, there's all sorts of other security certifications that Cloudflare can qualify for and I think we have like a really solid governance risk and compliance team embedded within our security team and Has good leadership and a really clear vision to take us to be, you know, completely all -star compliance team in the space I'm really excited to see us continue to grow take on new certifications and meet changing regulatory requirements Great.

Thank you Yeah, and then, you know just to kind of you know, wrap things up.

I Would like to acknowledge, you know, if there are any customers that are listening And they have more questions.

Could you just provide more insight on what's the most efficient way to contact us and You know customer get your PCI questions answered.

Great question So what I'd recommend if you ever want to have a question about our SOC 2 ISO or PCI or any sort of compliance question Please always reach out to your sales contact first That is like the quickest way to get in contact with our team and help get your questions answered So reach out to them We have a whole customer compliance team that helps respond to a lot of inquiries from new customers to existing customer account renewals that I think are Will definitely be able to help get your question answered there Awesome.

Thank you. Yeah, and you can always go to the club They're calm forward slash compliance as well to see the various different initiatives that we're already working on Yeah, definitely.

So I know we have a couple minutes here If there's any questions that anyone watching has for us, please just shoot them off I'd be happy to answer it but in the meantime We have a chance with Rebecca here who is my manager and who helps kind of run the whole show for security compliance at Cloudflare, would you mind just quickly touching on what are some of like the well actually first could you give your fun fact from?

Your orientation and then what are some of the challenges of managing security compliance at Cloudflare that you find rewarding?

Sure, yeah, I'll try to answer quickly. My fun fact is is quick and easy.

I was um, Valerina for 19 years and it was a I got a minor in it in college So not related to security, but it definitely is fun and helps round me out as an individual.

Sure And it's definitely every you know, all the compliance initiatives here at club.

There are a challenge But it's really rewarding to go through the process as a team and we get to work so cross-functionally with everyone here at club Claire And I think that's what makes it both challenging and rewarding and fun.

Awesome Hopefully that answers your question. No, it totally does.

Well, I think we're actually just about out of time I thank you for having me on this was really fun Or we thought it was a good conversation and hopefully we can do some more of these kind of discussion soon Yeah, thank you so much for answering all our questions