Utilizing a Reference Architecture to help with PCI Compliance in the Cloud

Earlier this month, Oracle Cloud Infrastructure (OCI) published a Reference Architecture allowing merchants to use OCI resources to quickly build an environment that can help meet the intent and rigor of the Payment Card Industry Data Security Standard (PCI DSS). As merchants looking to get into the business of taking credit card transactions online often encounter additional challenges in architecting a secure and available framework that meets industry standards—such as PCI DSS—this Reference Architecture should now help alleviate some of that confusion surrounding initial compliance while also demystifying some of the other, more confusing aspects of the standard.  Having had the privilege of working with the team at OCI, Schellman reviewed the OCI Reference Architecture as an independent assessor—during that process, we found some key advantages that are outlined below:

  • It introduces a platform topology using architectural and network diagrams so customers may have a baseline to build a compliant environment and add on to the existing infrastructure as needed.

  • It includes component overviews to help customers better understand how each different system and service can be used to create a compliant merchant environment.

  • It provides an infrastructure-as-code template to customers to facilitate an easy download and deployment of the Reference Architecture environment from GitHub.

  • It recommends best practices that enable customers to configure and more easily manage the environment while becoming PCI compliant, once the Reference Architecture is deployed within one of OCI’s PCI DSS validated regions.

  • It incorporates sample policies and standards that can be used as a baseline to modify and create the appropriate policies for any organization that uses the Reference Architecture.

Because the Reference Architecture is built using OCI’s PCI DSS validated services and is integrated with Stripe’s Payment API for processing of credit card transactions, the environment is not designed to store cardholder data. As such, this may significantly reduce the scope of a merchant’s cardholder data environment (CDE), and so merchants within the e-commerce space or those that take credit cards through other channels may still be required to undergo their own PCI DSS validation; however, using this Reference Architecture should still allow OCI’s existing merchant customers to have an easier time setting up and securing the initial CDE.

About the Authors

headshot-kanney-smDoug Kanney is a Principal at Schellman & Company based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 15 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

headshot-sm-May-26-2021-03-03-26-54-PMJoe O'Donnell is a Manager with Schellman and mainly dedicated to the PCI and PCI specialty service lines. Joe previously worked within the Enterprise Risk Management consulting practice industry. He has managed IT Reviews in support of the financial audit, and helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.

About the Author

Schellman & Company

Schellman & Company, LLC (Schellman) is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

More Content by Schellman & Company
Previous Article
The Invisible Obstacle Course
The Invisible Obstacle Course

Schellman's David Baca shares challenges he's had to overcome as a Veteran during his transition from milit...

Next Article
Schellman First Take on the Cybersecurity Executive Order
Schellman First Take on the Cybersecurity Executive Order

Schellman's Doug Barbin provides a “First Take” on the new Presidential Executive Order on Improving the Na...


First Name
Error - something went wrong!