Cloud, virtualization servers pose challenges for PCI compliance

Troy Leach, technical director for the Payment Card Industry Security Standards Council recognizes a gap in the standard when it comes to addressing the security of payment card data in cloud computing and virtualized environments. In an interview, Monday, with SearchSecurity.com at the 2009 RSA Conference, Leach said he hopes a newly formed special interest group and an emerging technologies study will recommend ways the standard can address securing payment data in the cloud. The council needs a better understanding of the rules and responsibilities within a virtualized server and whether or not virtual segmentation in a network is appropriate segmentation, Leach said. In addition, the PCI SSC announced an expansion of its PIN Entry Device (PED) Security Requirements addressing unattended payment terminals and hardware security modules. The devices will now undergo thorough security testing, Leach said.

The PCI SSC has a special interest group (SIG) around virtualization security. What will its ultimate goal be, and what are some of the issues the group will be looking at? Just to take one step back, we have a wireless special interest group that has submitted a new wireless implementation guide. It's a phenomenal document and I can't wait to put this in the marketplace. It provides a guide for any merchant that either has wireless...

in their environment and is making changes, or is implementing wireless. It's a robust guide, and we hope to see the same from the virtualization SIG.

I would assume the [virtualization group] will be tackling issues such as the chain of custody and the rules and responsibilities within a virtualized server. They'll probably discuss cloud computing. They'll probably discuss virtual local area networks (VLANs) and whether or not virtual segmentation in a network is appropriate segmentation. It's similar to another SIG we launched last month on scoping. So there may be some overlap when it comes to virtualization. Is the SIG on scoping related to just virtualization issues or all network segmentation issues?
It's going to include all scoping issues. This is going to be determined by the merchants and participating organizations and how they want to cover the topic. They have a very broad interest in different aspects of segmentation and reducing a PCI assessment.

SearchSecurity radio:

If someone walks up to you and says they're doing cloud computing, is there anything in the standards as they are right now that you can point them to for guidance?
It's a tough question. We have an emerging technologies request for proposal (RFP) that will explore some of these issues, and we're going to see how virtualization applies. We try to stay technology agnostic, but we recognize that there are times when you have to call out certain types.

We do have certain requirements that are a challenge. I think the one that most folks look to is 'one primary function per server' and whether or not virtualization creates enough separation within those operating systems to have that one function per server. That's a challenge for a lot of organizations. We're seeing some new work with hypervisors being able to hop from one operating system to another and whether or not antivirus at that level is appropriate. There are a lot of challenges with that technology, and we're hoping to have a position paper presented to us from the emerging technologies RFP by the end of the summer.

See all our coverage of RSA Conference 2009:

SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.

 What are some of the challenges around network segmentation?
I think the first challenge many merchants face when they are segmenting is that they don't know where their cardholder data is. The discovery phase of finding cardholder information, especially if you're new to that type of discovery, can be quite a challenge. As a former chief technology officer, I can say that sometimes I didn't know if a marketing team somehow collected information or a business group collected information unbeknownst to system administrators and database administrators. We're getting there. Many organizations are now very cognizant of security and that it needs to be an ongoing practice, not just a once a year validation. The PIN Entry Device (PED) Security Program is expanding to include UPTs and HSMs. What are these two new standards?
The PED standard is now plural, and we have multiple standards for those devices that actually record PIN transactions. The part of the program related to unattended payment terminals (UPT) focuses on additional security requirements for those types of devices, like fuel pumps and movie ticket kiosks. These are transactions that are done without a cashier, and we recognize that there are additional physical and logical security controls that need to be in place for those types of devices.

In addition, the hardware security module (HSM) is within the device itself. It manages how that PIN is being handled by the device. For example, it encrypts the PIN from the point that it is taken from the device onto the processor and onto the acquiring bank. If I'm a merchant and I already have some of these devices installed, what happens to these devices?
These requirements are going to be similar to the PED requirements, in that it will be the responsibility of the manufacturer of those devices to go through and become validated against these requirements. Many of these manufacturers are very aware of these standards. They've helped to vet the requirements themselves. So we anticipate that many of these manufacturers will have the products go through the process with the laboratories real soon.

Dig deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close