The PCI SSC has a special interest group (SIG) around virtualization security. What will its
ultimate goal be, and what are some of the issues the group will be looking at?
Just to take one step back, we have a wireless special interest group that has submitted a new
wireless implementation guide. It's a phenomenal document and I can't wait to put this in the
marketplace. It provides a guide for any merchant that either has wireless in their environment and
is making changes, or is implementing wireless. It's a robust guide, and we hope to see the same
from the virtualization SIG.
I would assume the [virtualization group] will be tackling issues such as the chain of custody
and the rules and responsibilities within a virtualized server. They'll probably discuss cloud
computing. They'll probably discuss virtual local area networks (VLANs) and whether or not
virtual segmentation in a network is appropriate segmentation. It's similar to another SIG we
launched last month on scoping. So there may be some overlap when it comes to virtualization. Is
the SIG on scoping related to just virtualization issues or all network segmentation issues?
It's going to include all scoping issues. This is going to be determined by the merchants and
participating organizations and how they want to cover the topic. They have a very broad interest
in different aspects of segmentation and reducing a PCI assessment.
|
 |
If someone walks up to you and says they're doing cloud
computing, is there anything in the standards as they are right now that you can point them to for
guidance?
It's a tough question. We have an emerging technologies request for proposal (RFP) that will
explore some of these issues, and we're going to see how virtualization applies. We try to stay
technology agnostic, but we recognize that there are times when you have to call out certain
types.
We do have certain requirements that are a challenge. I think the one that most folks look to is 'one primary function per server' and whether or not virtualization creates enough separation within those operating systems to have that one function per server. That's a challenge for a lot of organizations. We're seeing some new work with hypervisors being able to hop from one operating system to another and whether or not antivirus at that level is appropriate. There are a lot of challenges with that technology, and we're hoping to have a position paper presented to us from the emerging technologies RFP by the end of the summer.
|
||||
|
|
|||
|
||||
What are some of the challenges around network
segmentation?
I think the first challenge many merchants face when they are segmenting is that they don't know
where their cardholder data is. The discovery phase of finding cardholder information, especially
if you're new to that type of discovery, can be quite a challenge. As a former chief technology
officer, I can say that sometimes I didn't know if a marketing team somehow collected information
or a business group collected information unbeknownst to system administrators and database
administrators. We're getting there. Many organizations are now very cognizant of security and that
it needs to be an ongoing practice, not just a once a year validation. The PIN Entry Device (PED)
Security Program is expanding to include UPTs and HSMs. What are these two new standards?
The PED standard is now plural, and we have multiple standards for those devices that actually
record PIN transactions. The part of the program related to unattended payment terminals (UPT)
focuses on additional security requirements for those types of devices, like fuel pumps and movie
ticket kiosks. These are transactions that are done without a cashier, and we recognize that there
are additional physical and logical security controls that need to be in place for those types of
devices.
In addition, the hardware security module (HSM) is within the device itself. It manages how that
PIN is being handled by the device. For example, it encrypts the PIN from the point that it is
taken from the device onto the processor and onto the acquiring bank. If I'm a merchant and I
already have some of these devices installed, what happens to these devices?
These requirements are going to be similar to the PED requirements, in that it will be the
responsibility of the manufacturer of those devices to go through and become validated against
these requirements. Many of these manufacturers are very aware of these standards. They've helped
to vet the requirements themselves. So we anticipate that many of these manufacturers will have the
products go through the process with the laboratories real soon.