The Payment Card Industry (PCI) Security Standards Council has released virtualisation guidelines for its Data Security Standard (DSS) to help enterprises in the payment chain secure cardholder data in cloud computing environments.
The 39-page document updated the PCI DSS into the era of cloud computing, a demand strongly urged after the last update in August failed to address hot button items like tokenisation, chip-and PIN and end-to-end encryption.
It was built from council Special Interest Groups (SIGs) that clarified the use of virtualisation technology.
Led by virtualisation SIG chair Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organisations along with the PCI Council, the supplement aims to assist merchants, service providers, processors and vendors to understand how PCI DSS applies to virtual environments including:
- Evaluating the risks of a virtualised environment;
- Implementing additional physical access controls for host systems and securing access;
- Isolating the security processes that could put the card data at risk;
- Identifying which virtualised elements should be considered 'in scope' for the purposes of PCI compliance.
"It is important to recognise that while the use of virtualisation technology certainly offers many benefits to organisations, the complexity of virtual configurations can lead to accidental misconfiguration or entirely new vulnerabilities that the system's designers never anticipated," PCI Security Standards Council general manager Bob Russo said.
"This resource helps merchants in better understanding some of these risks and how to minimise them when considering the use of virtualisation in payment card environments."
The information supplement provides PCI DSS scoping guidance, Russo added, for each "virtual system component" including hypervisors, virtual machines, virtual desktops and certain challenges presented by cloud computing, and offers best practices that merchants and assessors should adopt to help secure their payment card data in virtual environments.
After critical comments after the last PCI DSS update in August, Gartner analyst Avivah Litan said the guidelines seemed sound and mature and offered specific recommendations.
"This is good," she said. "Virtualisation was an area that was undefined, and this document does a good job of mapping virtualisation to the PCI environment."
She did warn, however, that enforcement of the standards may prove to be a challenge. "There is a lot of conflict of interest. Security assessors are also selling remediation services. If they start using this for their financial gain, we're in trouble." That hasn't happened yet, she added.
Following the public release of the "PCI DSS Virtualisation Guidelines," Russo will explain the findings in a webinar on Thursday, June 30 at 11:00 am EST.
This presentation will include a review of the Council's approach to evaluating technologies in payments, an overview of Virtualisation SIG objectives, and a look at the key findings from the guidelines.