First word on how card security for containers, VDI, SDN and web apps The Payment Card Industry Security Standards Co
First word on how card security for containers, VDI, SDN and web apps
The Payment Card Industry Security Standards Council (PCI SSC) has issued a big update to its guidance on using payment cards with cloud computing services.
A lot has happened in the cloud since 2013, when the last version was published. Which may explain why Wednesdayâs version three hit 83 pages, 31 pages more than version two.
On The Registerâs reading of the document, the big changes kick in around the new Section 6.5 on Vulnerability Management. This re-written section adds advice on testing web applications, internal networks and penetration testing.
PCI Council says bye-bye to big bang standards upgrades
Section 6.4 is new, too, and suggests âCustomers should contractually require data breach notification from their Providers in clear and unambiguous language, taking into consideration the need to comply with local and global regulatory/breach laws, data privacy, security incident management and breach notification requirements.â
As youâd expect, new technologies like software-defined networking and the internet of things score a mention, along with guidance on how they impact PCI compliance.
Hypervisor introspection, the practice of peering into workloads to ensure they arenât doing anything unexpected, has been given a long consideration because ââ¦ it can bypass role-based access controls and that it can be used without leaving a forensic audit trail within the VM itself.â Desktop virtualization, especially cloud-hosted desktops, has also require substantial new guidance.
Thereâs also a long list of things a container platform needs to do before it can be considered ready for duty handling payment card information in the cloud.
Another new and very modern recommendation concerns testing of automation to ensure that resources created in elastic cloud inherit the security controls required for PCI compliance.
The new document contains hundreds of changes. Perhaps the best way to assess the main points is by considering the updates to the section on âPCI DSS Compliance Challenges.â
The new version adds a warning that ââ¦ it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.â Both documents warn that it is hard to understand what infrastructure a cloud provides. The new one adds that is therefore âdifficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.â
Many changes concern scoping a cloud to ensure it is PCI compliant and plenty of those concern work to determine exactly what parts of a cloud are certified as PCI-compliant, who has responsibility for their security and how to make sure that an incident doesnât end up with lots of finger-pointing that canât help card-holders.