Security in the cloud, especially relating to credit card transactions online, is one of the biggest concerns facing cloud computing in general and the future of virtualization software specifically.
Over the last several months, UK merchants have been slowly moving towards complying with new standard guidelines encompassed by the PCI DSS which aims to put the onus of responsibility on retailers, not banks, as historically been the case.
Fines in excess of $500,000 (or $100,000 per month) are being imposed on vendors in the United States who fail to comply with the standard which call for good, basic security audits under six categories including:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Since September of last year, roughly 15% of those involved in online UK commerce have stepped up to the plate to comply with the regulatory requirements. There is still a long way to go!
If you are website or merchant who accepts credit card payments online you should visit this informative page put together by Visa, one of the five payment processor brands driving the formation of the standard.
Four different levels of exist according to the level of activity on your site.
The PCI Security Standards Council responsible for the standard concede the standards can be confusing and challenging to implement, especially for smaller merchants who handle only a few thousand transactions each year.
Further, there is still some debate over how to enforce PCI compliance in the cloud, when examined through the lens of virtualization software such as VMware or Xen Servers.
For this reason, The Standard’s Council has put together a special interest group to define virtualization and provide guidance on how it applies to PCI DSS.
The SIG, as they call it, has worked to produce an information supplement to the second version of DSS, which is currently under review.
The supplement will include a white paper on common PCI use cases for virtualization and a mapping tool that details guidance on recommended, required and auditable controls.
“If you put payment data into the cloud - you are opening up that entire cloud to the scope of a PCI QSA assessment,” said Bob Russo, general manager of the PCI Security Standards Council.
He points out that not all data is meant for the cloud and if necessary it should be confined to the most heavily protected element of your network.
It is recommended that companies leverage a hosting provider who can scale your environment dynamically based upon preconfigured PCI-compliant system images.
If your organization or company is involved in the payment processing industry in any way you may wish to influence the future direction of the council by becoming a PCI SSC Participating organization. The fee for joining the Council is $3,000 for an annual membership.
If your organization does not have a firewall at present or are unaware of the exact requirements of the PCI DSS standard Virtual Internet offers a security audit to ensure your servers and firewalls are patched and up to date.