PCI DSS and Severless Architecture

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) with URM, explore the use of severless architecture and Payment Card Industry Data Security Standard (PCI DSS) compliance.  Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss:    

• What ‘severless’ actually means in a PCI DSS context, and how this differs from how it is usually described by cloud providers
• What QSAs look for when deciding whether a severless system falls within PCI scope
• How the balance of responsibilities shifts when an organisation moves from traditional cloud services to severless, and where this causes the most confusion during assessments
• The parts of a severless setup that tend to bring cardholder data into scope unexpectedly and how to ensure you understand the way information moves through your systems
• How to handle PCI requirements for logs, monitoring and keeping evidence when the systems they rely on disappear almost instantly
• Maintaining compliant access control and control over changes to your systems in a severless context
• How to check for weaknesses in severless systems, the risks tied to the external code and libraries that are often used inside serverless functions
• And more.

Ask Alastair and Tibor a question:  https://www.urmconsulting.com/podcasts/pci-dss-and-severless-architecture

If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecinsider        

You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts      

 Connect with us on LinkedIn 

 Brought to you by URM, the UK’s leading information and cyber security specialists.