<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">

PCI Council Weighing Virtual and Cloud Recommendations

Ipswitch Blog| March 22 2010

| Security

As a participating organization in the PCI Security Standards Council, Ipswitch File Transfer has the opportunity to review documents and recommendations before they become public.  That is the case with the "Securing Virtual Payment Systems" document currently under review.

While I cannot provide specific details or quotes from the document at this time, it is common knowledge (after being stated at the 2008 PCI Community Meeting) that the PCI Council has been trying to get its arms around the proliferation of virtual machines and cloud resources in PCI deployments for some time.

The direction the council seems headed in is to treat not only virtual machines ("guests") but the hypervisor software that manage all virtual machines as IN SCOPE during PCI audits.   If this comes to pass, this may have the following effects on the credit card processing industry (including many Ipswitch File Transfer customers).

  • Users of Virtualization technology (including EMC VMware and Microsoft Hyper-V) may be encouraged to either segregate their PCI systems from non-PCI systems onto different physical VM platforms or bear an increased control and documentation burden on "mixed" PCI and non-PCI virtualized environments.
  • Users of Virtualization technology will need to control and document their hypervisors as tightly as they control and document their operating systems.

As an accredited security auditor, I wholeheartedly agree with treating hypervisors as in scope and encourage the PCI Council to make this the final recommendation this year.

However, in terms of the direction the PCI Council seems to be taking in the  cloud space, I worry that cloud providers will not be provided the same latitude that existing third-party hosting providers are currently afforded in the later sections of PCI DSS 1.2.

While I cannot cite specific passages here, I believe that limiting the definition of a "private cloud" to equipment that must be entirely owned and controlled by an organization will unfairly exclude third-party cloud providers that would otherwise be able to demonstrate segregated processing.

But all in all, this document is an important step forward into evolving deployments for the PCI Council and I encourage all involved to complete the work to make it official.

Topics: Security

Leave a Reply

Your email address will not be published. Required fields are marked *


Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.