PCI-Compliant Cloud Reference Architecture

PCI-Compliant Cloud Reference Architecture


Payment Card Industry (PCI) Data Security Standard (DSS) defines a set of requirements to protect payment cardholder data, and the environments in which cardholder data is stored, processed, or transmitted. These requirements apply to all “system components”, with a system component defined as any network component, server, or application that is included in or connected to the Cardholder Data Environment (CDE). The challenge with the Data Security Standard (DSS) is that technology is constantly evolving and security and audit capabilities are built in after the initial foundation has been established.

In particular virtualized and cloud environments have some unique challenges, which include adequate segmentation, storage of cardholder data, access control, logging and alerting across all management activities, and use of the base platform layer (i.e. the hypervisor). PCI DSS Version 1.2.1 (the current effective standard) does not provide specific guidance to address the risks directly associated with virtual machines and cloud computing. It only empowers the PCI Qualified Security Assessors (QSAs) and vendors to work collaboratively to create a compliance approach to specific emerging technologies.

DSS will evolve to address technology and threat innovations, but likely will continue to remain vendor agnostic. This document is provided to give merchants, service providers, and assessors a basic framework and a practical implementation for building a PCI-compliant cloud. This document will evolve as DSS is updated, Special Interest Group (SIG) papers are published, and the PCI Security Standards Council Technical Working Group formally provides guidance on virtualization and cloud technologies.

Continue reading to learn more about how you can have a PCI-Compliant cloud reference architecture.

22 Mar 2011
22 Mar 2011
19 Page(s)
White Paper
Already a Bitpipe member? Login here

Download this White Paper!

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor