Press Releases > HUAWEI CLOUD Becomes the Only Cloud Service Brand in China with PCI-DSS Certification for All Platforms, Nodes, and Services

HUAWEI CLOUD Becomes the Only Cloud Service Brand in China with PCI-DSS Certification for All Platforms, Nodes, and Services

Mar 29, 2018

On March 22, HUAWEI CLOUD became the only cloud service brand in China to pass the Payment Card Industry Data Security Standard (PCI-DSS) certification for all platforms, nodes, and services. The certificate was awarded by the British Standards Institution (BSI), an international authoritative certification body, at the Huawei China Eco-Partner Conference 2018 in Qingdao. This certification demonstrates that the security of HUAWEI CLOUD is internationally acknowledged, and puts its security compliance among the top in the world. Representing Huawei and BSI at the award ceremony were Yang Song, General Manager of Huawei Cloud Security, and Quan Zhenjun, Strategic Cooperation Director of BSI Greater China.

 

Yang Song (right) and Quan Zhenjun (left) at the award ceremony

1. What is the PCI-DSS certification?

The PCI-DSS is the most stringent and authoritative financial data security standard in the world. It was formulated and implemented by the PCI Security Standards Council (PCI SSC), which was formed by major payment card companies such as Visa and MasterCard in 2004. The PCI-DSS aims to strictly control data transmission, processing, and storage to ensure the security of online transactions made using payment cards. Since its release, the standard has been widely supported and promoted by global card organizations and financial institutions, and has become a common requirement for merchants and service providers. Due to its strong operability, it has also become a general security standard for other industries beyond the financial industry.

After receiving an enterprise's application for PCI-DSS certification, the PCI SSC authorizes an independent review organization (such as the BSI) to conduct a comprehensive and thorough review of the enterprise. The review involves six areas of focus, 12 specifications, and nearly 300 review indicators. The six areas of focus are as follows:

       Building and maintaining a secure network

       Protecting cardholder data

       Maintaining a vulnerability management program

       Implementing strong access control measures

       Regularly monitoring and testing networks

       Maintaining an information security policy

The review process covers security management system review, internal and external network vulnerability scanning of a senior third party (ASV) and security vulnerability fixing, and security management system implementation.

During the review of HUAWEI CLOUD, many indicators taken into account included all of HUAWEI CLOUD's physical equipment rooms, key system components of the cloud platform, personnel security training, and security development. At least one follow-up review is required every year.

2. What does passing the PCI-DSS certification mean for HUAWEI CLOUD?

(1) Passing this certification for all platforms, nodes, and services means that the security of the entire IT system of HUAWEI CLOUD has been verified, including its Beijing, Langfang, and Hong Kong nodes.

(2) As PCI-DSS was initially formulated to provide security standards for the financial industry, some vendors have only passed the certification for their dedicated financial clouds, not meeting the security requirements of users in other industries. However, the comprehensive certification of HUAWEI CLOUD means that users can enjoy financial-level security regardless of their industries.

(3) HUAWEI CLOUD passed the certification in a short period of time, which is evidence of the great importance HUAWEI CLOUD has always attached to developing industry-leading security.

Because the PCI-DSS standards are so strict and require such high security technology capabilities for cloud platforms, few enterprises can pass the certification. At present, HUAWEI CLOUD is the only cloud service brand in China that has passed the PCI-DSS certification for all platforms, nodes, and services.

"BSI is willing to leverage its professional advantages to help HUAWEI CLOUD grow and improve." said Quan Zhenjun.

3. What does the bigger picture of HUAWEI CLOUD's compliance certification look like?

Users and cloud service providers are paying more attention to compliance certification, because compliance certification is the basis for ensuring cloud platform security. The HUAWEI CLOUD platform has received the following security certifications:

       Basic certifications based on the general security standards of the industry: CSA STAR gold certification, ISO 27001 certification, and Classified Protection of Information Security

       Regional certifications: Trusted Cloud and IT-Grundschutz certifications obtained in Germany

       Enhanced certifications for specific industries/services: PCI-DSS certification, which meets the security requirements of industry customers and improves the security of financial and payment services; Trusted Cloud certification of the Ministry of Industry and Information Technology (MIIT) for improving service security

In addition, HUAWEI CLOUD has received BSIMM certification, ITSS service enhancement certification, an IDC/ISP license, and TUV Trusted Cloud certification, and has participated in an authoritative standard pilot (cloud service network security).

In addition to compliance certification, HUAWEI CLOUD has built a full-stack security system to provide users with visible and easy-to-use security services, such as database firewalls, database auditing, and data anonymization. HUAWEI CLOUD also provides the first key management service that enables users to control cloud keys in China. The anti-DDoS service can defend against 1 TB of traffic attacks in 3 seconds.

4. What commitments has Huawei made to ensure the security and neutrality of user data?

Huawei is the first cloud service provider in China to commit to not developing applications, not accessing users' public cloud data, and not making equity investments in partner services.

In combination with these commitments, HUAWEI CLOUD has built a full-stack protection matrix covering physical devices, networks, hosts, applications, and data to protect user security. For example, Huawei provides China's most comprehensive services for database security, such as its Database Security Service. Huawei is also the first cloud service provider in China to deliver cloud encryption keys for users through its Key Management Service. At present, these commitments have been well received by users, and other cloud service providers have followed Huawei's example.

"This PCI-DSS certification is only the beginning for HUAWEI CLOUD," said Yang Song. "We plan to continue exploring users' service requirements, learning best practices in the industry, and implementing security elements in the R&D process. Only in this way can we keep enriching our security and providing services that users can trust."