PCI-Compliant Cloud Reference Architecture
Payment Card Industry (PCI) Data Security Standard (DSS) defines a set of requirements to protect payment cardholder data, and the environments in which cardholder data is stored, processed, or transmitted. These requirements apply to all “system components”, with a system component defined as any network component, server, or application that is included in or connected to the Cardholder Data Environment (CDE). The challenge with the Data Security Standard (DSS) is that technology is constantly evolving and security and audit capabilities are built in after the initial foundation has been established.
In particular virtualized and cloud environments have some unique challenges, which include adequate segmentation, storage of cardholder data, access control, logging and alerting across all management activities, and use of the base platform layer (i.e. the hypervisor). PCI DSS Version 1.2.1 (the current effective standard) does not provide specific guidance to address the risks directly associated with virtual machines and cloud computing. It only empowers the PCI Qualified Security Assessors (QSAs) and vendors to work collaboratively to create a compliance approach to specific emerging technologies.
DSS will evolve to address technology and threat innovations, but likely will continue to remain vendor agnostic. This document is provided to give merchants, service providers, and assessors a basic framework and a practical implementation for building a PCI-compliant cloud. This document will evolve as DSS is updated, Special Interest Group (SIG) papers are published, and the PCI Security Standards Council Technical Working Group formally provides guidance on virtualization and cloud technologies.
Continue reading to learn more about how you can have a PCI-Compliant cloud reference architecture.