The PCI SSC has a special interest group (SIG) around virtualization security. What will its ultimate goal be, and what are some of the issues the group will be looking at?
Just to take one step back, we have a wireless special interest group that has submitted a new wireless implementation guide. It's a phenomenal document and I can't wait to put this in the marketplace. It provides a guide for any merchant that either has wireless in their environment and is making changes, or is implementing wireless. It's a robust guide, and we hope to see the same from the virtualization SIG.
I would assume the [virtualization group] will be tackling issues such as the chain of custody and the rules and responsibilities within a virtualized server. They'll probably discuss cloud computing. They'll probably discuss virtual local area networks (VLANs) and whether or not virtual segmentation in a network is appropriate segmentation. It's similar to another SIG we launched last month on scoping. So there may be some overlap when it comes to virtualization. Is the SIG on scoping related to just virtualization issues or all network segmentation issues?
It's going to include all scoping issues. This is going to be determined by the merchants and participating organizations and how they want to cover the topic. They have a very broad interest in different aspects of segmentation and reducing a PCI assessment.
If someone walks up to you and says they're doing cloud computing, is there anything in the standards as they are right now that you can point them to for guidance?
It's a tough question. We have an emerging technologies request for proposal (RFP) that will explore some of these issues, and we're going to see how virtualization applies. We try to stay technology agnostic, but we recognize that there are times when you have to call out certain types.
We do have certain requirements that are a challenge. I think the one that most folks look to is 'one primary function per server' and whether or not virtualization creates enough separation within those operating systems to have that one function per server. That's a challenge for a lot of organizations. We're seeing some new work with hypervisors being able to hop from one operating system to another and whether or not antivirus at that level is appropriate. There are a lot of challenges with that technology, and we're hoping to have a position paper presented to us from the emerging technologies RFP by the end of the summer.
What are some of the challenges around network segmentation?
I think the first challenge many merchants face when they are segmenting is that they don't know where their cardholder data is. The discovery phase of finding cardholder information, especially if you're new to that type of discovery, can be quite a challenge. As a former chief technology officer, I can say that sometimes I didn't know if a marketing team somehow collected information or a business group collected information unbeknownst to system administrators and database administrators. We're getting there. Many organizations are now very cognizant of security and that it needs to be an ongoing practice, not just a once a year validation. The PIN Entry Device (PED) Security Program is expanding to include UPTs and HSMs. What are these two new standards?
The PED standard is now plural, and we have multiple standards for those devices that actually record PIN transactions. The part of the program related to unattended payment terminals (UPT) focuses on additional security requirements for those types of devices, like fuel pumps and movie ticket kiosks. These are transactions that are done without a cashier, and we recognize that there are additional physical and logical security controls that need to be in place for those types of devices.
In addition, the hardware security module (HSM) is within the device itself. It manages how that PIN is being handled by the device. For example, it encrypts the PIN from the point that it is taken from the device onto the processor and onto the acquiring bank. If I'm a merchant and I already have some of these devices installed, what happens to these devices?
These requirements are going to be similar to the PED requirements, in that it will be the responsibility of the manufacturer of those devices to go through and become validated against these requirements. Many of these manufacturers are very aware of these standards. They've helped to vet the requirements themselves. So we anticipate that many of these manufacturers will have the products go through the process with the laboratories real soon.