The PCI Security Council (PCI SSC) recently released a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.
According to Onestopclick.com’s article on PCI Compliance and the Public Cloud, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.
As a result, the PCI SSC states the burden of PCI compliance falls upon the PCI cloud hosting provider and their own controls and assessment of their own environment’s compliance. When searching for a PCI compliant hosting provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant’s own responsibility.
The PCI SSC also recommends conducting a risk assessment of their virtual environments to comply with PCI standards, including the following key elements:
- Define the Environment - Components, physical security/site details, traffic flow, component visibility, virtual and physical hardware components, etc.
- Identify Threats - One example is new types of malicious code or logical attacks targeting virtual components (hypervisor) or unsecured communication channels between shared hardware components.
- Identify Vulnerabilities - While the PCI SSC acknowledges vulnerabilities may result from the complexity of virtualization layers, shared environments and lack of visibility, they also point out that vulnerabilities are not limited to technical issues – mistrained staff, operational processes errors, lack of control monitoring and more can be responsible for a point of weakness.
- Evaluate and Address Risk - With all threats, vulnerabilities and environmental aspects considered, a risk assessment’s ultimate goal is to determine if any additional controls (on top of existing PCI compliance requirements) need to be implemented to protect CHD and avoid a PCI compliance breach.
For more on PCI compliance, see our prerecorded PCI compliance webinar series, including a PCI overview, detailed PCI requirements and PCI penetration testing and enhancing network and application security, led by a PCI compliance expert, Adam Goslin of High Bit Security.