PCI DSS Compliance in the Cloud – A Primer on New Guidelines
CrossViewBlog 2700049BSM Visits (2804)
The PCI Security Standards Council’s Virtualization Special Interest Group recently published its “Information Supplement: PCI DSS Virtualization Guidelines” (the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”). The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:
Although the application of the PCI DSS to cloud and other virtual environments is not controversial, the guidelines make clear that unquestioning reliance on a vendor’s assertion that it is PCI compliant may be inadequate and risky. Of course, failure to comply with the PCI DSS not only increases the risks to sensitive customer payment card data, but may also jeopardize a merchant’s ability to process credit card transactions.
Speaking the same language
The guidelines include high-level vocabulary and technical advice, cataloging common components of virtualized environments and identifying those that are likely to be “in scope” for purposes of the PCI DSS. The guidelines also identify key risks unique to virtual and cloud environments. For example, the consolidation of resources inherent in all virtual environments increases the damage that may be caused by a single point of failure, such as the