Ipswitch Blog

PCI Council Weighing Virtual and Cloud Recommendations

| March 22, 2010 | Cloud Computing, Compliance, Secure File Transfer

As a participating organization in the PCI Security Standards Council, Ipswitch File Transfer has the opportunity to review documents and recommendations before they become public.  That is the case with the “Securing Virtual Payment Systems” document currently under review.

While I cannot provide specific details or quotes from the document at this time, it is common knowledge (after being stated at the 2008 PCI Community Meeting) that the PCI Council has been trying to get its arms around the proliferation of virtual machines and cloud resources in PCI deployments for some time.

The direction the council seems headed in is to treat not only virtual machines (“guests”) but the hypervisor software that manage all virtual machines as IN SCOPE during PCI audits.   If this comes to pass, this may have the following effects on the credit card processing industry (including many Ipswitch File Transfer customers).

  • Users of Virtualization technology (including EMC VMware and Microsoft Hyper-V) may be encouraged to either segregate their PCI systems from non-PCI systems onto different physical VM platforms or bear an increased control and documentation burden on “mixed” PCI and non-PCI virtualized environments.
  • Users of Virtualization technology will need to control and document their hypervisors as tightly as they control and document their operating systems.

As an accredited security auditor, I wholeheartedly agree with treating hypervisors as in scope and encourage the PCI Council to make this the final recommendation this year.

However, in terms of the direction the PCI Council seems to be taking in the  cloud space, I worry that cloud providers will not be provided the same latitude that existing third-party hosting providers are currently afforded in the later sections of PCI DSS 1.2.

While I cannot cite specific passages here, I believe that limiting the definition of a “private cloud” to equipment that must be entirely owned and controlled by an organization will unfairly exclude third-party cloud providers that would otherwise be able to demonstrate segregated processing.

But all in all, this document is an important step forward into evolving deployments for the PCI Council and I encourage all involved to complete the work to make it official.

How IT Pros Can Save 30 Minutes a Day

How IT Pros Can Save 30 Minutes a Day

Implementing Compliance for Data Privacy in Regulated Industries

Free Webinar: Implementing Compliance for Data Privacy in Regulated Industries

Leave a Reply

Your email address will not be published. Required fields are marked *

Ipswitch Blog

This post was written by Ipswitch Blog

Ipswitch helps solve complex IT problems with simple solutions. The company’s software has been installed on more than 150,000 networks spanning 168 countries to monitor networks, applications and servers, and securely transfer files between systems, business partners and customers. Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe, Asia and Latin America.