Beginning in January 2012 the folks who manage the Payment Card Industry Data Security Standard (PCI DSS) are going to formally recognize the existence of virtual servers as a legitimate option for the processing of payment card data.
That’s not to say IT organizations have not been using virtual servers to process this data for some time now. But the language of the PCI DSS 2.0 specificationthat goes into effect next month makes it clear that virtual servers are allowed. Prior to that, a particular persnickety auditor could have claimed anyone using a virtual server was outside the scope of the specification, which may have dissuaded some IT organizations from putting credit card data anywhere near virtual machine software.
Of course, while the perception is virtual machines are more secure than a traditional physical server, the reality is any type of shared infrastructure should raise some security concerns. There is a lot of nuance that goes into managing security in a virtual environment most IT organizations don’t appreciate, especially when it comes to segmenting application workloads and who should have access to exactly what. In fact, to help IT organizations sort that out, Trend Micro, HyTrust and few of their vendor partners recently came up with a reference architecture for processing credit card data securely in a virtual server environment.
Once you get past virtualization, however, the next logical question should be about whether it’s alright to process credit card data in the cloud. It turns out there is a lot nuance on that point as well. For example, does the cloud service provider store all the data in its data centers, or does it get outsourced somewhere else? More importantly, can the customer see the system logs to determine if the cloud service is in compliance with the PCI DSS 2.0 specification at any given time? Not surprisingly to many IT organizations, the number of cloud service providers that provide visibility into their log management processes is not all that high, and almost none of them are the perceived leaders in the cloud computing field.
These days just about anything to do with PCI DSS compliance is painful, so finding somebody else to manage this process is by far the better part of valor for most IT organizations. The challenge, of course, is finding somebody who actually does it in a way that won’t get your organization in hot water for, first, not following the rules and, second, your failure to demand real visibility into their cloud.