QUESTION & ANSWER

Cloud, virtualization servers pose challenges for PCI compliance

By Robert Westervelt, News Editor 21 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The PCI SSC has a special interest group (SIG) around virtualization security. What will its ultimate goal be, and what are some of the issues the group will be looking at?
Troy Leach: Just to take one step back, we have a wireless special interest group that has submitted a new wireless implementation guide. It's a phenomenal document and I can't wait to put this in the marketplace. It provides a guide for any merchant that either has wireless in their environment and is making changes, or is implementing wireless. It's a robust guide, and we hope to see the same from the virtualization SIG.

I would assume the [virtualization group] will be tackling issues such as the chain of custody and the rules and responsibilities within a virtualized server. They'll probably discuss cloud computing. They'll probably discuss virtual local area networks (VLANs) and whether or not virtual segmentation in a network is appropriate segmentation. It's similar to another SIG we launched last month on scoping. So there may be some overlap when it comes to virtualization.

Is the SIG on scoping related to just virtualization issues or all network segmentation issues?
Leach: It's going to include all scoping issues. This is going to be determined by the merchants and participating organizations and how they want to cover the topic. They have a very broad interest in different aspects of segmentation and reducing a PCI assessment.

SearchSecurity radio:

If someone walks up to you and says they're doing cloud computing, is there anything in the standards as they are right now that you can point them to for guidance?
Leach: It's a tough question. We have an emerging technologies request for proposal (RFP) that will explore some of these issues, and we're going to see how virtualization applies. We try to stay technology agnostic, but we recognize that there are times when you have to call out certain types.

We do have certain requirements that are a challenge. I think the one that most folks look to is 'one primary function per server' and whether or not virtualization creates enough separation within those operating systems to have that one function per server. That's a challenge for a lot of organizations. We're seeing some new work with hypervisors being able to hop from one operating system to another and whether or not antivirus at that level is appropriate. There are a lot of challenges with that technology, and we're hoping to have a position paper presented to us from the emerging technologies RFP by the end of the summer.

See all our coverage of RSA Conference 2009: SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.

What are some of the challenges around network segmentation?
Leach: I think the first challenge many merchants face when they are segmenting is that they don't know where their cardholder data is. The discovery phase of finding cardholder information, especially if you're new to that type of discovery, can be quite a challenge. As a former chief technology officer, I can say that sometimes I didn't know if a marketing team somehow collected information or a business group collected information unbeknownst to system administrators and database administrators. We're getting there. Many organizations are now very cognizant of security and that it needs to be an ongoing practice, not just a once a year validation.

The PIN Entry Device (PED) Security Program is expanding to include UPTs and HSMs. What are these two new standards?
Leach: The PED standard is now plural, and we have multiple standards for those devices that actually record PIN transactions. The part of the program related to unattended payment terminals (UPT) focuses on additional security requirements for those types of devices, like fuel pumps and movie ticket kiosks. These are transactions that are done without a cashier, and we recognize that there are additional physical and logical security controls that need to be in place for those types of devices.

In addition, the hardware security module (HSM) is within the device itself. It manages how that PIN is being handled by the device. For example, it encrypts the PIN from the point that it is taken from the device onto the processor and onto the acquiring bank.

If I'm a merchant and I already have some of these devices installed, what happens to these devices?
Leach: These requirements are going to be similar to the PED requirements, in that it will be the responsibility of the manufacturer of those devices to go through and become validated against these requirements. Many of these manufacturers are very aware of these standards. They've helped to vet the requirements themselves. So we anticipate that many of these manufacturers will have the products go through the process with the laboratories real soon.

Tags: Virtualization Security Issues and Threats,  PCI Data Security Standard,  VLAN Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance PCI Data Security Standard PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection VLAN Security Management How to securely connect a LAN POS to a remote point-of-sale device How to compartmentalize WiFi traffic with a VLAN How should service providers address VoIP security issues and threats? How to build security into a virtualized server environment Server considerations for internal network application setup Microsoft NAP-TNC compatibility won't speed adoption, users say Hackers have knack for beating NAC systems NAC helps aerospace firm's network blast off Network Access Control Learning Guide RSA Conference 2006

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary