PCI Security Council Publishes Cloud and Virtualization Guidelines
Fast-rising interest in virtualization and cloud computing has been accompanied by concerns about potential data security risks from using these IT models. Seeking to address some of these concerns, the PCI Security Standards Council has released its Virtualization Guidelines Information Supplement for retailers, merchants and others in the payment chain, providing information on the use of virtualization technology in cardholder data environments in accordance with PCI DSS (Data Security Standards).
The guidelines document was produced by the Virtualization Special Interest Group chaired by Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organizations and it includes:
· Explanations of the classes of virtualization often seen in payment environments including virtualized operating systems, hardware/platforms and networks
· Definition of the system components constituting these types of virtual systems and high-level PCI DSS scoping guidance for each
· Practical methods and concepts for deployment of virtualization in payment card environments
· Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
· Specific recommendations for mixed-mode and cloud computing environments
· Guidance for understanding and assessing risk in virtual environments
"This information supplement provides a more detailed view into the definitions and boundaries where PCI intersects with virtualization," said Roemer. "Now merchants can identify the range of questions to ask their providers and then determine the risk mitigation options available."
More information can be found at www.pcisecuritystandards.org
The guidelines document was produced by the Virtualization Special Interest Group chaired by Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organizations and it includes:
· Explanations of the classes of virtualization often seen in payment environments including virtualized operating systems, hardware/platforms and networks
· Definition of the system components constituting these types of virtual systems and high-level PCI DSS scoping guidance for each
· Practical methods and concepts for deployment of virtualization in payment card environments
· Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
· Specific recommendations for mixed-mode and cloud computing environments
· Guidance for understanding and assessing risk in virtual environments
"This information supplement provides a more detailed view into the definitions and boundaries where PCI intersects with virtualization," said Roemer. "Now merchants can identify the range of questions to ask their providers and then determine the risk mitigation options available."
More information can be found at www.pcisecuritystandards.org