Privacy & Information Security Law Blog

On June 14, 2011, the PCI Security Standards Council’s Virtualization Special Interest Group published its “Information Supplement: PCI DSS Virtualization Guidelines”(the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”).  The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:

• the PCI DSS applies to cloud environments without exception; 
• critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and
• cloud providers must be prepared to document and contract for necessary controls.

Although the application of the PCI DSS to cloud and other virtual environments is not controversial, the Guidelines make clear that unquestioning reliance on a vendor’s assertion that it is PCI compliant may be inadequate and risky.  Of course, failure to comply with the PCI DSS not only increases the risks to sensitive customer payment card data, but may also jeopardize a merchant’s ability to process credit card transactions.

The Guidelines include high-level vocabulary and technical advice, cataloging common components of virtualized environments and identifying those that are likely to be “in scope” for purposes of the PCI DSS.  The Guidelines also identify key risks unique to virtual and cloud environments.  For example, the consolidation of resources inherent in all virtual environments increases the damage that may be caused by a single point of failure, such as a misconfigured hypervisor in a public cloud which exposes the virtual environments of multiple customers.

The Guidelines include a number of recommendations and suggested best practices, most of which focus on the critical need to understand the precise technical operation of each virtual environment and its treatment of cardholder data as essential first steps in assessing PCI DSS compliance.  Importantly for cloud offerings, the Guidelines emphasize the need to ensure that the service offering enforces administrative, process and technical segmentation to isolate each customer’s environment from those of other entities.  The Council recommends that this isolation encompass, at a minimum, all PCI DSS controls, including segmented authentication, network and access controls, encryption and logging.

The Guidelines would hold cloud providers to a high standard, putting them on notice that the limited access allowed customers to the shared infrastructure of the cloud and the inherent risks of that sharing require implementation of “...[m]ore stringent preventive, detective, and corrective controls...to offset the additional risk that a public cloud, or similar environment, could introduce…”  Notably, the document concludes by indicating that “...these challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner.”  As a result, the Guidelines put the burden of proving compliance squarely on the cloud provider and require “rigorous evidence of adequate controls.”  In particular, the Guidelines state that “...[t]he cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer’s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be “in place” and “not in place”; and confirmation of when the assessment was conducted.”  These recommendations are important for contract drafting purposes, but the Guidelines also will be helpful to those seeking to assure compliance with Nevada’s recently amended law on the security of personal information, which requires that merchants doing business in Nevada and accepting payment cards must comply “...with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council.”

To facilitate compliance, the Guidelines include an appendix summarizing the 12 PCI DSS requirements, and providing a detailed list of virtualization considerations for each.