06-15-11 | Blog Post
A new set of guidelines and recommendations have been released by the Payment Card Industry Security Standards Council (PCI SSC) regarding PCI compliance within a virtual data hosting environment, including cloud computing. While the latest version of the PCI standard was updated in October 2010, the guidelines refer mainly to physical hosting environments.
The council emphasizes that there is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements, and that different configurations must be customized depending on environment, use and implementation.
The guidelines also detail possible risks for hosting within a virtual environment, including the increased complexity of virtualized systems and networks. Other risks include possible immaturity of monitoring solutions and information leakage between virtual network segments and components, thus increasing the need to host with an experienced PCI compliant hosting provider that is able to assess and eliminate all potential risks.
The PCI SSC outlines virtualization considerations for each of the already-standardized 12 PCI DSS requirements. For example, the first requirement refers to installing and maintaining a firewall configuration to protect cardholder data. Virtualization considerations include examining multiple virtual layers, including virtual firewalls and routers potentially embedded within a hypervisor, as well as possible virtual network connections existing within a host, between hosts, and so on.
The new guidelines also address PCI compliance and types of cloud computing that are rising in popularity and quickly evolving, including public, private and hybrid cloud computing. The council warns that public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet, as a potential reason for inherent risk. However, this is unlike private cloud hosting which consists only of system components that are trusted and controlled by the organization, and not shared with any other customer.
The latest PCI DSS Virtualization Guidelines can be downloaded from the PCI Security Standards Council’s website.