The Payment Card Industry (PCI) Security Standards Council has released virtualisation guidelines for its Data Security Standard (DSS) to help enterprises in the payment chain secure cardholder data in cloud computing environments.
The 39-page document updated the PCI DSS into the era of cloud computing, a demand strongly urged after the last update in August failed to address hot button items like tokenisation, chip-and PIN and end-to-end encryption.
It was built from council Special Interest Groups (SIGs) that clarified the use of virtualisation technology.
Led by virtualisation SIG chair Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organisations along with the PCI Council, the supplement aims to assist merchants, service providers, processors and vendors to understand how PCI DSS applies to virtual environments including:
"It is important to recognise that while the use of virtualisation technology certainly offers many benefits to organisations, the complexity of virtual configurations can lead to accidental misconfiguration or entirely new vulnerabilities that the system's designers never anticipated," PCI Security Standards Council general manager Bob Russo said.
"This resource helps merchants in better understanding some of these risks and how to minimise them when considering the use of virtualisation in payment card environments."
The information supplement provides PCI DSS scoping guidance, Russo added, for each "virtual system component" including hypervisors, virtual machines, virtual desktops and certain challenges presented by cloud computing, and offers best practices that merchants and assessors should adopt to help secure their payment card data in virtual environments.
After critical comments after the last PCI DSS update in August, Gartner analyst Avivah Litan said the guidelines seemed sound and mature and offered specific recommendations.
"This is good," she said. "Virtualisation was an area that was undefined, and this document does a good job of mapping virtualisation to the PCI environment."
She did warn, however, that enforcement of the standards may prove to be a challenge. "There is a lot of conflict of interest. Security assessors are also selling remediation services. If they start using this for their financial gain, we're in trouble." That hasn't happened yet, she added.
Following the public release of the "PCI DSS Virtualisation Guidelines," Russo will explain the findings in a webinar on Thursday, June 30 at 11:00 am EST.
This presentation will include a review of the Council's approach to evaluating technologies in payments, an overview of Virtualisation SIG objectives, and a look at the key findings from the guidelines.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.