Version 2.0 of the PCI Data Security Standard addresses Cloud Computing, particularly virtualization, more effectively than previous versions. This is most important for IaaS implementations. There is also a PCI Special Interest Group that is generating best practices for Virtualization so that organizations will have an easier time adopting Cloud platforms.
While this group will not be making changes to the standard itself, they are creating clarification documents that describe how to properly protect and segment virtual machines so that they will adhere to the existing PCI standard. To download the standard and other related virtualization documentation, visit www.pcisecuritystandards.org.
It is important to note that several requirements in the PCI Data Security Standard apply directly to Cloud Computing solutions (Exactly which requirements will vary based on the type of Cloud implementation). The following is a list of the requirements that are particularly relevant in a Cloud Computing environment:
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks – As certain parts of your processing are outsourced, it becomes more crucial to document the flow of cardholder data and verify the security associated with the third party Cloud solutions in place. Relying on a Service Level
Agreement (SLA) is not sufficient for validation purposes.
2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. – Using virtual technology means by definition that one physical server will be performing the function of multiple virtual servers.
In any event, the standard demands that each virtual server is treated as a separate entity when it comes to which services it performs. This is the same separation that is demanded in non-virtualized environments. The point of this requirement is to minimize the cross-contamination of malware and rogue software by keeping services separate (either virtually or physically).
2.4 Shared hosting providers must protect each entity‘s hosted environment and cardholder data. These providers must meet specific requirements – Most Cloud Computing implementations will have a shared
hosting provider. That provider must go through its own security evaluation, and is must provide the results to its clients. The documentation for this requirement appears later in the list.
8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote
authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.) Note: Two-
factor authentication requires that two of the three authentication methods (see Req. 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication. - Since many Cloud Computing implementations incorporate remote communication, validating user access becomes a critical component from a security standpoint.
8.5(.1-.16) Ensure proper user identification and authentication management for non-consumer users and administrators on all system components – Since the Cloud is usually controlled in most cases by a third party, ensuring that the proper systems are in place can be a challenge. A collaborative effort must be made to ensure that the security is adequate because the third party is responsible to the restaurant group, not the end user. No one can alleviate the restaurant’s responsibility to the end user, so proper due diligence is required to validate the environment where cardholder data is transmitted or stored.
9.1-.4 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment – Depending on what services are on the Cloud, it might be crucial to examine the physical protection of the systems as well. In Cloud Computing, the exact location of the data or exact path of the data may vary because of the nature of redundancy or server farms, so these particular requirements are more complicated than they might otherwise be. That does not eliminate the need for the examination. It only
emphasizes why this set of requirements can be so challenging in the cloud.
12.8 (12.8.1-4) If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers – Documenting how the service provider maintains the confidentiality of sensitive data and guarantees that confidentiality is crucial when dealing with Cloud Computing. Part of these requirements includes having a contract with every service provider such that they agree to maintain internal processes that are PCI compliant.
This list does not intend to claim that other components of PCI are not critical in a Cloud environment. Quite the contrary, every merchant who processes credit cards must comply with every relevant component of the PCI Data Security Standard at all times. The purpose of this list is merely to point out that some of the requirements actually become more challenging with Cloud Computing, and before implementing a solution, they should be considered.
This site is produced by