As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud. Relevant legal rules and industry best practices standards are still catching up to this shift. In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing. Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment. However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources.
While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting. The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance. However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider.