The Payment Card Industry Security Standards Council (PCI SSC) issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centres while ensuring PCI Data Security Standard (DSS) compliance where necessary.
The PCI DSS Virtualisation Guidelines Information Supplement, released June 14, covers a number of virtualisation areas, including different types of virtualisation, specific notes on cloud computing and how to ensure “mixed” virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK.
The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI DSS 2.0 standard.
Data stored in virtual environments are already covered by PCI DSS 2.0, which went into effect in January. PCI-compliant organisations do not have to start from scratch when looking at this guidance, Russo said. Merchants and vendors “asked for additional clarity”, and the guidance provides the explanation and details for the requirement in the context of virtualisation, Russo said.
The Virtualisation SIG looked at each requirement in PCI DSS and examined it within the context of the virtual environment. The guidance provides additional details around each requirement, Roemer said.
For example, a PCI DSS requirement specifies that administrators have to segment PCI workloads from other workloads. The guidance applied the requirement to the virtual environment to note that firewalls must segment virtual machines with different “trust zones” in a single environment, according to the document. This is especially important in a multi-tenant public cloud environment, Roemer said.
Virtual hosts are now subject to the requirement that administrators “limit access to system components and cardholder data to only those individuals whose job requires such access”, according to the guidance document, suggesting that organisations will need to implement access controls on the hypervisor, host and other components.
The PCI Council avoids endorsing any type of technology or technique in its guidance, leaving the actual implementation to the individual enterprise. Numerous areas will evolve, such as storage, virtual networking and cloud computing, but the requirements to manage the technology should not change, Troy Leach, PCI Council’s chief standards architect, told eWEEK. Future guidance and standards will address evolving risks, Leach said.
“There is no single method for securing virtualised environments,” Russo said.
The SIG originally started out looking at server virtualisation because that was what most members were focusing on as part of their virtualisation efforts, Roemer said. However, the group discovered there were other usages, such as for applications, desktops and storage servers.
At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organisations can achieve PCI compliance. Lindsay Parker, global retail industry director at Cisco, told eWEEK that the document, an update to a previous guide, provides guidance for different types of “store footprints”, such as size of the retail organisation and the type of services provided.
The PCI implementation guide is “comparable to a cookbook, a how-to manual” on securing the organisation’s systems, including virtual and wireless infrastructure, Parker said. Unlike the guidance from the PCI Council, Cisco’s document is unabashedly promoting Cisco’s and its partners’ products, including HyTrust, RSA Security and EMC, according to Parker.
Many retail companies and enterprises tend to view PCI compliance as a “point in time exercise”, one that is done once the audit is completed, according to Parker.
At least four other industry sectors, including government, education, health care and financial services, are taking the retail guide and modifying with industry-specific information to create customised guides for those areas, Parker said.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…