PCI DSS cloudy, virtually secure

Powered by SC Magazine
 

The PCI DSS Virtualisation Guidelines have been released to update credit card payment security to the age of cloud computing.

The Payment Card Industry (PCI) Security Standards Council has released virtualisation guidelines for its Data Security Standard (DSS) to help enterprises in the payment chain secure cardholder data in cloud computing environments.

The 39-page document updated the PCI DSS into the era of cloud computing, a demand strongly urged after the last update in August failed to address hot button items like tokenisation, chip-and PIN and end-to-end encryption.

It was built from council Special Interest Groups (SIGs) that clarified the use of virtualisation technology.

Led by virtualisation SIG chair Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organisations along with the PCI Council, the supplement aims to assist merchants, service providers, processors and vendors to understand how PCI DSS applies to virtual environments including:

  • Evaluating the risks of a virtualised environment;
  • Implementing additional physical access controls for host systems and securing access;
  • Isolating the security processes that could put the card data at risk;
  • Identifying which virtualised elements should be considered 'in scope' for the purposes of PCI compliance.

"It is important to recognise that while the use of virtualisation technology certainly offers many benefits to organisations, the complexity of virtual configurations can lead to accidental misconfiguration or entirely new vulnerabilities that the system's designers never anticipated," PCI Security Standards Council general manager Bob Russo said.

"This resource helps merchants in better understanding some of these risks and how to minimise them when considering the use of virtualisation in payment card environments."

The information supplement provides PCI DSS scoping guidance, Russo added, for each "virtual system component" including hypervisors, virtual machines, virtual desktops and certain challenges presented by cloud computing, and offers best practices that merchants and assessors should adopt to help secure their payment card data in virtual environments.

After critical comments after the last PCI DSS update in August, Gartner analyst Avivah Litan said the guidelines seemed sound and mature and offered specific recommendations.

"This is good," she said. "Virtualisation was an area that was undefined, and this document does a good job of mapping virtualisation to the PCI environment."

She did warn, however, that enforcement of the standards may prove to be a challenge. "There is a lot of conflict of interest. Security assessors are also selling remediation services. If they start using this for their financial gain, we're in trouble." That hasn't happened yet, she added.

Following the public release of the "PCI DSS Virtualisation Guidelines," Russo will explain the findings in a webinar on Thursday, June 30 at 11:00 am EST.

This presentation will include a review of the Council's approach to evaluating technologies in payments, an overview of Virtualisation SIG objectives, and a look at the key findings from the guidelines.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


PCI DSS cloudy, virtually secure
 
 
 
Top Stories
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 946

Vote