A simple approach to PCI DSS compliance for Google Cloud Platform
Customers often ask us for guidance about how to build PCI DSS compliant environments on top of Google Cloud Platform. From our work in the field, we recently put together a handy-dandy tutorial to help them get started.
This is no small thing. Many businesses today have online storefronts, and the vast majority of those take credit cards. When you accept credit cards for your business, you have to make sure you do that securely —
to ensure customer trust and security, to get paid and to meet the necessary regulations, namely PCI DSS.
The PCI DSS, created by the PCI Security Standards Council, is an information security standard created by the major credit card companies; as such, any business that takes Visa, MasterCard, Discover, American Express or JCB is expected to be PCI DSS compliant, and can be fined or penalized if it is not.
Creating and managing a compliant PCI DSS environment can be a non-trivial task. Thankfully, if you’re on Cloud Platform, managed services such as Stackdriver Monitoring, Stackdriver Logging, and Google BigQuery can help. Our solution, for example, includes these basic components:
- A lightweight Google Compute Engine front-end application that accepts credit card information and sends it to an external payment processor. Importantly, that information is never recorded, it's only transmitted.
- An external payment processor that charges the credit card if it's accepted or rejects it if it’s not, and notifies your application of the result. Since this is just a notification to your application, no credit card data is transmitted or recorded from the payment processor.
- Stackdriver Logging, which logs the actions of every application and server via Squid Proxy which restricts the event traffic and sends them to Stackdriver Monitoring, which monitors the events
- BigQuery, which can be used to analyze the logs, run ad-hoc audit queries and create reports.