Retail Technology
| Log in | Subscribe



Subscribe | Log in
Retail Technology
Subscribe

Resource is designed to help the implementation PCI requirements in virtualised environments, with specific recommendations on cloud computing

Resource is designed to help the implementation PCI requirements in virtualised environments, with specific recommendations on cloud computing

 

The Payment Card Industry Security Standards Council (PCI SSC) has announced the findings of the Council’s Virtualisation Special Interest Group.

 

The open industry standards body providing management of the PCI Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), has published the PCI DSS Virtualisation Guidelines Information Supplement for those in the payment chain on the use of virtualisation technology in cardholder data environments in accordance with PCI DSS.

 

The Council’s Special Interest Groups (SIGs) are designed to help clarify elements of PCI DSS that might be considered challenging, or open to interpretation for stakeholders seeking to secure cardholder data. The use of virtualisation technology has been a chief area of interest for organisations considering its implementation in their cardholder data environments, and assessors who evaluate virtualised environments as part of a PCI DSS assessment. While it provides many benefits, the Council said virtualisation also introduces new and unique risks that must be considered carefully prior to deployment.

 

Collaborative industry efforts

 

A product of months of collaborative efforts led by Virtualisation SIG chair and Citrix Systems chief security strategist Kurt Roemer, and more than 30 Participating Organisations in conjunction with the PCI Council, the information supplement is designed to help merchants, service providers, processors and vendors understand how PCI DSS applies to virtual environments including:

 

  • Explanation of the classes of virtualisation often seen in payment environments including virtualised operating systems, hardware/platforms and networks;
  • Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each;
  • Practical methods and concepts for deployment of virtualisation in payment card environments;
  • Suggested controls and best practices for meeting PCI DSS requirements in virtual environments;
  • Specific recommendations for mixed-mode and cloud computing environments;
  • Guidance for understanding and assessing risk in virtual environments.

 

The supplement also includes an appendix that provides examples of virtualisation implications for specific PCI DSS requirements and suggested best practices for addressing them.

 

“This information supplement provides a more detailed view into the definitions and boundaries where PCI intersects with virtualization,” said SIG chair Kurt Roemer. “Now merchants can identify the range of questions to ask their providers and then determine the risk mitigation options available.”

 

No one solution fits all

 

The SIG’s findings have highlighted that there is no single method for securing virtualised systems. Virtual technologies have many applications and uses, and the security controls appropriate for one implementation may not be suitable for another. Using this resource, organisations can better understand and evaluate their own environments to identify the unique risks virtualisation brings to the security of their cardholder data environment, and can plan deployments accordingly.

 

“Virtualisation and cloud computing in relation to PCI have been topics of great interest among our stakeholders,” said Bob Russo, PCI Security Standards Council general manager. “I want to recognise the Virtualisation SIG and the tremendous amount of effort and collaboration that went into creating this guidance. It points to the critical importance of participation from the PCI community in helping us provide resources that help meet our stakeholders’ expectations of securing cardholder data.”

 

The Council will host a webinar for Participating Organisations and the public that highlights the key findings from the information supplement and how stakeholders can best use this resource within their organisations.

 

To register for the Tuesday, 28 June session, click here. Those wishing to register for the Thursday, 30 June session, click here.