Enterprises get new guidance on PCI compliance in virtual environments
PCI Security Standard Council's document should benefit greatly, analysts say
Computerworld - Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.
The PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI DSS),has released a comprehensive set of guidelines that companies can use to ensure that their virtual environments are compliant with PCI requirements.
The council's 39-page guidance document (PDF document) describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments, need to be applied in a virtual setting. One section provides examples of how virtualization can impact each PCI requirement, and recommends best practices for addressing them.
"The guidelines really address all aspects and usage of virtualization," by organizations that are covered under PCI rules, said Kurt Romer, chief security strategist at Citrix Systems and chairman of the PCI special interest group that drafted the document.
"We put out the document to help people understand how they should be looking at [virtualization]," from the PCI standpoint, Romer said.
One important area that the document covers relates to the hypervisor technologies that are used in hardware virtualization. The guidance makes it clear that hypervisors fall under the scope of PCI requirements if any virtual component connected to the hypervisor it is covered under PCI, he said.
Similarly, the document also makes some important recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. The document for instance, spells out how in-scope and out of scope workloads need to be segmented and the additional measures needed to achieve that in a virtual environment, Romer said.
The PCI council's latest guidance also makes important recommendations with regard to PCI compliance in cloud environments. It spells out the extent to which enterprises are responsible for ensuring compliance and the extent to which cloud vendors are responding for ensuring the right controls are in place.
The document notes that companies which choose to have their PCI workloads hosted on multi-tenant, public cloud infrastructures need to ensure that their cloud vendors have additional controls for protecting their data.
Those challenges involved in protecting PCI data in a multi-tenant environment, "may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner," the document noted. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts