PCI Council releases vastly expanded cards-in-clouds guidance

First word on how card security for containers, VDI, SDN and web apps

5 Reg comments Got Tips?

The Payment Card Industry Security Standards Council (PCI SSC) has issued a big update to its guidance on using payment cards with cloud computing services.

A lot has happened in the cloud since 2013, when the last version was published. Which may explain why Wednesday’s version three hit 83 pages, 31 pages more than version two.

On The Register’s reading of the document, the big changes kick in around the new Section 6.5 on Vulnerability Management. This re-written section adds advice on testing web applications, internal networks and penetration testing.

PCI Council says bye-bye to big bang standards upgrades


Section 6.4 is new, too, and suggests “Customers should contractually require data breach notification from their Providers in clear and unambiguous language, taking into consideration the need to comply with local and global regulatory/breach laws, data privacy, security incident management and breach notification requirements.”

As you’d expect, new technologies like software-defined networking and the internet of things score a mention, along with guidance on how they impact PCI compliance.

Hypervisor introspection, the practice of peering into workloads to ensure they aren’t doing anything unexpected, has been given a long consideration because “… it can bypass role-based access controls and that it can be used without leaving a forensic audit trail within the VM itself.” Desktop virtualization, especially cloud-hosted desktops, has also required substantial new guidance.

There’s also a long list of things a container platform needs to do before it can be considered ready for duty handling payment card information in the cloud.

Another new and very modern recommendation concerns testing of automation to ensure that resources created in elastic cloud inherit the security controls required for PCI compliance.

The new document contains hundreds of changes. Perhaps the best way to assess the main points is by considering the updates to the section on “PCI DSS Compliance Challenges.”

The new version adds a warning that “… it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.” Both documents warn that it is hard to understand what infrastructure a cloud provides. The new one adds that is therefore “difficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.”

Many changes concern scoping a cloud to ensure it is PCI compliant and plenty of those concern work to determine exactly what parts of a cloud are certified as PCI-compliant, who has responsibility for their security and how to make sure that an incident doesn’t end up with lots of finger-pointing that can’t help card-holders.

The new guidance document is here (PDF). Version two is here (PDF) if you fancy comparing the documents. ®


Biting the hand that feeds IT © 1998–2020