New PCI Compliance Guidelines Set New Standards For Cloud Security

Companies unsure about the Payment Card Industry's requirement to secure data in the cloud don't need to wonder anymore.

On Tuesday, the PCI Security Standards Council clarified its guidance for storing and processing financial and transaction data in virtualized systems, a key component of almost all cloud architecture. In its "Information Supplement: PCI DSS Virtualization Guide," the group states that virtualization technology brings unique risks when used with cardholder data -- data that goes into that cloud is still subject to the PCI Data Security Standard.

"I would say one of the biggest changes here is [that the new guidelines] make much more explicit what was speculated on before," says Richard Park, senior product manager at network security vendor Sourcefire. "Before, auditors were not really sure how PCI standards applied, but now there is much more clarity."

In the guidelines, the PCI Security Standards Council states that any virtual machine that handles, stores, or transmits cardholder data must be governed by the PCI DSS. In addition, the standards apply to the foundational software programs, known as hypervisors, that manage virtual instances. Companies should recognize that hypervisors create a new attack surface that must be minimized, the guidelines state. Other virtualized components are similarly covered by PCI DSS.

The new rules put a stake in the ground, asserting that PCI DSS applies to any virtualized environment that handles payment data. But they also concede that there is no way to cover all of the possible infrastructure combinations. Instead, cloud providers must provide documentation on their infrastructures and whether they comply with PCI DSS, says Gretchen Hellman, vice president of product management for enterprise encryption vendor Vormetric.

"In public clouds, from the provider side, what this means is that if they want to do business with PCI-covered entities and handle credit card numbers, they will have to have a lot of information prepared," says Hellman. "This new guidance does say that it is the cloud providers' responsibility to demonstrate how they are PCI-compliant, which requirements have been reviewed ... and by whom. And then it is up to the consumer or the business that is leveraging the cloud service to make sure that the other components of PCI are addressed."

The security responsibilities of cloud providers have become a point of confusion, both among the providers and among their customers. In a report recently released by the Ponemon Institute and funded by CA Technologies, more than two-thirds of cloud providers put the responsibility to secure data on the shoulders of the customer. Yet only one-third of customers believed it was their job to secure the data.

"There are definitely disconnects, and I would say that's because we are so early in the maturity of cloud security, in general," says Sourcefire's Park. "Only after we have seen more and more of these compromises will cloud security become more of a priority. I think we will see more and more cloud customers needing greater accountability over their cloud vendors."

The guidelines recognize that cloud environments are amorphous. Virtual servers can be created as needed and then destroyed, the guidelines note. In the past, PCI DSS required that each server be audited -- or some fraction of servers be sampled -- in order to achieve compliance. This is a more difficult task in the cloud, says Tom McAndrew, vice president of professional services for IT audit and compliance firm Coalfire Systems.

"The cloud environment is supposed to be elastic -- you can have five servers now and 10 servers three seconds later. That is not something that we have had historically," McAndrew says. "It use to be that we could walk into a data center and count the number of servers and say what is in scope. Now we can't do that."

The guidelines will become more important as retailers and other companies that allow credit card payments use cloud providers to remove the cardholder data from their own premises, experts say. Those cloud providers will become more of a target, which will mean that they have to take special measures to protect data, says Ruth Xovox, chief compliance officer for ExoIS, a PCI-compliant cloud provider.

"When you look at the majority of the big breaches, there's been really fundamental controls that were not in place," says Xovox. "It's always the same ones -- lack of management of your vendors, unencrypted wireless, this mis-scoping of systems that touch cardholder data -- the unknown unknowns, if you will."

The new guidelines will likely make it a priority for companies to either export cardholder data -- and the associated risk -- to the cloud, or better identify the risk in their own virtualized systems, Xovox says.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.