How Compliance to PCI Can Be Achieved in Google Apps

Topics covered

  • What is PCI compliance?
  • Critical requirements of PCI compliance
  • Problems that companies experience in PCI compliance
  • Introduction to Google Apps
  • Requirements that organizations fail to meet and how Google Apps can help

What is PCI compliance?

The PCI Data Security Standard (PCI DSS) was created by the PCI Data Security Council, an organization established by the major credit card companies (VISA, Mastercard, American Express, Discover, and JCB) in 2006 but which operates independently of these companies. PCI DSS provides the baseline technical and operational requirements which are designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Depending upon the volume of transactions processed by organizations, either they are required to:

  • Undergo evaluation by a QSA (Qualified Security Assessor) – a person meeting the educational requirements for information security defined by the PCI Data Security Council – who generates a Report on Compliance (ROC) for these organizations and
  • They are required to validate their compliance by completing a SAQ.

In addition to the above requirements, all entities involved in payment card processing are required to have external network security scans performed quarterly by a certified third-party vendor.

Critical Requirements of PCI

As currently configured, the PCI DSS includes six so-called “control objectives”, which are implemented through one, two, or three specific requirements that meet those objectives. In all, there are twelve specific requirements. In various versions of the PCI DSS, each of the twelve requirements has been further specifically defined by the creation of discrete sub requirements, which have varied somewhat from version to version of the PCI DSS; the six control objectives and twelve main requirements have remained the same since the creation of the PCI DSS in 2006. The latest version of the standard is PCI DSS V3.0, which became effective from January 01, 2014.

Challenges Faced by Organizations in Achieving PCI Compliance

All organizations processing credit card information have a difficult and critically important obligation to maintain the security of that information. The risk of data loss and credit card fraud are great and widely publicized. Large credit card data leaks have occurred at major retailers and other companies, including Target, Sony, Home Depot, Staples, KMart, Adobe, Neiman-Marcus, Michael’s, P.F. Chang’s,  and LivingSocial, to name a few. An especially large data breach involving some  130 million occurred at Heartland Payment Systems in 2009.

For each case of credit card fraud, costs are high and IT departments spend numerous extra hours repairing each incident. Reputation is damaged and can result in dwindling consumer trust and lower profit margins.

Negative publicity that accompanies any breach in security can be very damaging to an entity’s image and share value. If you operate a business in California, you are required to disclose any security breach publicly under state regulation CA SB 1386. Being forced to report publicly that credit card numbers have been stolen is one sure way to lose customers and shareholders.

Another reason for ensuring compliance with the PCI Standard is to avoid fines and additional regulatory scrutiny. Failure to comply with the PCI Data Security Standard can result in huge fines by credit card companies and the US Government can levy additional fines. Visa, for example, levies fine up to $500,000 per incident if the organization is found non compliant to a PCI standard at the time of an incident.

Even worse, once an entity has failed a PCI audit, it is given an elevated risk status and becomes subject to more extensive PCI audits. The ultimate penalty can be a suspension of status and the loss of the ability to accept and process credit cards.

The specific challenge for PCI compliance is complex because there are so many different requirements that must be followed. Setting up an effective PCI compliance system within a company can be costly and require a lot of expertise and planning.

Introduction to Google Apps

Google Apps is a suite of cloud computing tools designed for both business and personal needs, providing capabilities for productivity, document creation and management, collaboration, communication, and social interaction. Google Apps includes the web applications Gmail, Google Drive, Google Docs, Google Calendar, and Google Hangouts. Google Apps for Business provides a secure alternative for document management that has been well proven, allowing businesses to conduct most computer-based work and transactions using Google Apps cloud services.

Approximately 60% of Fortune 500 companies now use Google Apps, and Google Apps has been adopted widely by companies that handle sensitive information, including credit card information, as well as health and legal documentation.

Three Requirements that Organizations Fail to Meet and How Google Apps Can Help Meet Them

There are many important ways in which organizations must comply with PCI DSS standards but where they all too often come up short. For most companies, Google Apps can provide a way to meet these requirements more efficiently and reliably. Here is a list of three important requirements for PCI DSS security that companies are sometimes failing to meet and the ways in which Google Apps can help to meet them.

#1: Protect Cardholder Data

Two Google Apps that could be used to transmit or store PCI DSS data are Google mail and Google Drive. Sensitive data can be stored on Google Drive or even transmitted through Google Mail. Protecting cardholder data involves both protecting any data that may be stored and ensuring that only data that must be transmitted is transmitted and that it is always encrypted.

Storage. Cardholder data that may be received by an organization in Google Apps could in theory be stored and managed in a couple different ways. Information that is copied into Google Drive will remain indefinitely, until it is manually deleted by the user or an admin. To comply with rules that limit the retention of PCI DSS data, their retention should be carefully managed.

Organizations should have clear policies regarding the storage and retention of various elements of cardholder data. While charting a policy is the foundational stone for establishing compliance, organizations should monitor the compliance to the storage and retention policies. Often organizations lose sight of the points through which cardholder data is stored. Google Apps and its various third party apps may be of tremendous help to organizations in achieving the goal of “Store – what you need .. Retain – till you need”. These apps can locate traces of cardholder data anywhere in the Google Drive.

Transmission. Protection of data in transit is one of the most important aspects of protecting cardholder data. Organizations can enable SSL (Secure Sockets Layer) protocol in Google Apps to secure communication over the Internet. If SSL connections are enabled, Google will force HTTPS (Hypertext Transfer Protocol Secure) when users access most services in Google Apps. The advantage of SSL is added security for your users. If your users access Google Apps on a non-secure Internet connection, such as a public wireless or a non-encrypted network, your users’ accounts may be more vulnerable to hijacking. A secure connection prevents hijacking by protecting the cookie session.

#2: Implement strong access control measures

Google Apps allows the admin to define access to specific Google Apps and files for specific users and organizational units.


Authentication is a mechanism by which a user is validated by the system. A user can be authenticated into the system using any of the following three methods:

  •  Something you know, such as a password or passphrase
  •  Something you have, such as a token device or smart card
  •  Something you are, such as a biometric.

Google apps allows organization to implement strong authentication controls there by restricting unauthorized users from gaining access to cardholder data. Google Apps allows organizations to implement a multifactor authentication mechanism. As a first step, users are required to login using their username and password. Google Apps allows organizations to force usage of strong passwords. As a second step, users can either use a code that will be sent to their phone via text, voice call, or Google mobile app or use a code from the security key plugged into the USB port of the computer.

Access Control

In general, PCI DSS compliance is best achieved by following a dual principle approach – using the principles of least privileges and need to know.

Need to know restriction can be implemented by providing access to any information not where all approvals are available but where a legitimate business need exists. Principle of least privilege can be implemented by restricting rights of every user to the lowest level that will enable them to perform their jobs.

Google Apps and other third party apps provides significant features to implement the principle of least privileges and restricting access on a need to know basis.

Additional standard procedures for protecting sensitive information should also be carried out, such as cutting off access to those no longer needing it (such as terminated employees), ensuring sufficiently complex passwords, and revisiting access privileges regularly.

#3: Track and monitor access to cardholder data

Along with establishing clear guidelines for access and ensuring that access is limited to those with demonstrated need, it is also important to track and monitor access to cardholder data.

Organizations should establish effective policies and procedures surrounding what gets monitored and who monitors it. Cardholder data is so sensitive that a real-time monitoring mechanism is essential to prevent data breaches, which are far more difficult and expensive to correct.

Google Apps and third party apps provide effective real-time monitoring solutions to track and monitor cardholder data. These can be used to perform scans of Google Apps information systems to check for cardholder information. Rules can be configured to provide real time protection against any unauthorized sharing of cardholder information. The capabilities of these apps in providing monitoring solutions can immensely support monitoring logs and enforce restrictions.

To aid effective tracking and monitoring, at a minimum, Organizations are required to log the following:

  • User identification
  • Type of event
  • Date and time
  • Success or failure indication
  • Origination of event
  • Identity or name of affected data, system component, or resource

The Admin Audit Console log, document history and sharing history in Google apps will provide good amount of logs, to allow company managers to monitor activity as a whole and double check that procedures mandated by the company are being properly executed.