Cloud // Platform as a Service
News
6/14/2011
01:26 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

PCI Updates Rules for Customer Data In Cloud

Industry council warns companies that handle cardholder data in virtualized environments, including cloud: Don't skimp on security requirements.

Memo to organizations that store cardholder data in virtualized environments, including the cloud: Don't skimp on security.

That's the main message contained in new guidance, released Tuesday by the Payment Card Industry (PCI) council, for organizations that handle cardholder data and thus must comply with the council's data security standard, PCI DSS.

"You're not relieved of any of the PCI DSS requirements here. If you've got to do them in the real world, you've got to do them in a virtualized world too," said Bob Russo, general manager of the PCI Security Standards Council, by telephone.

Already, PCI DSS version 2.0, which went into effect in January 2011, had specified that cardholder data stored in virtualized environments was covered by the standard. (Businesses still on PCI 1.2 must comply with the new version by the end of the year.) But when it came to investigating virtualization and its PCI implications in greater depth, "we were able to work within the existing compliance framework," said Kurt Roemer, chief security officer of Citrix, in a telephone interview.

Accordingly, "this is supplemental guidance, these are not new requirements within the standard," said Russo. That means PCI-compliant organizations storing cardholder data in virtualized environments won't have to start from scratch.

The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment. Furthermore, many businesses embrace virtualization to cut costs, but skimp on securing the environment.

"Security tends to be an afterthought in any environment, not just virtualized environments, and our job is to help people understand this," said Russo. "We're always telling people this is about security, and not compliance. If you're secure, compliance comes along as a byproduct."

The new "PCI DSS Virtualization Guidelines" specifies four principles. First, PCI DSS security requirements apply to cardholder data, even if stored in virtualized environments. Second, organizations have to audit the risks--which may be unique--associated with using virtualized environments. Third, the council wants to see detailed knowledge of each relevant virtualized environment, "including all interactions with payment transaction processes and payment card data." Finally, the guidance warns that "there is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements" and said that specific controls and procedures will necessarily vary by environment.

To help organizations get a handle on PCI and virtualization, the new guidelines also detail techniques for assessing risk in virtualized environments, and specify which aspects of virtualized environments are--or aren't--within the scope of PCI compliance, and thus liable to be assessed during an audit by qualified security assessors (QSAs). "This is a document not only for the QSAs, but also for merchants and people wanting to use virtualized environments. So it better prepares them for what they're going to be asked by QSAs," said Russo.

Don't look for guidance on specific types of technology, but rather core virtualization security challenges. "If you look at the standard, we try to be as technology-agnostic as possible, and as we address virtualization going forward, we recognize that numerous areas will evolve--storage, virtual networking, cloud computing-- but the requirements to manage the technology will probably not change, rather the risks will evolve, and we'll address those," said Troy Leach, the council's chief standards architect, in a telephone interview.

The new guidance applies to storing PCI data in the cloud too. "What we did was adopt the NIST definition of cloud computing, and we abstracted that down to three types of computing as a service--software, platforms, and infrastructure," said Citrix's Roemer. In future PCI versions, "that's probably the one area of the document that would need to be updated more," he said, "but cloud computing is being used for PCI environments today, there are a lot of benefits in doing so."

The new guidance was produced in part by the PCI council's virtualization special interest group, which includes representatives from 33 different organizations--from Bank of America and Cisco to Southwest Airlines and Stanford University. Overall, it included "QSAs and auditors, merchants, and vendors, we had a broad brush of people across the PCI ecosystem," said Roemer, who leads the special interest group.

The Optimized Enterprise, a unique virtual event, will feature presentations and discussions on the key topics related to creating a more competitive and efficient financial services organization. It happens June 23. Register now.

Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.