The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. With the mission of protecting and securing credit card data, the PCI Security Standards Council has established specific compliance requirements for companies that process, transmit or store credit information. Companies are classified as either merchants or service providers (service providers are entities that perform a function such as processing a credit card transaction or providing backup tape storage of credit card data).
The PCI Security Standards Council's recent guidance on PCI Virtualization seems ineffective as many of the decisions and assumptions made by organizations proved to be wrong in regard to virtualization which required extra spending and effort to achieve compliance because some of the decisions and assumptions made by the organisations in the past about these topics will turn out to be wrong. Cloud Computing helps to define the issues involved. While the guidance has made it clear that compliance in the cloud is feasible, the council has also made it clear that PCI in the cloud is no pushover from a technical standpoint. Getting to compliance in the cloud involves the active participation of both the organization itself, as well as the cloud provider.
One of the issues involved in PCI compliance in the cloud is a shared effort between customer and provider. According to the guidance, both the hosted entity and provider clearly defines and documents the responsibilities assigned to each party for maintaining PCI DSS requirements and any other controls that could impact the security of cardholder data. So, while the organizations are affected by the compliance, both the provider and the hosted organization need to take action. Hosted entities need to document their processes and controls and make sure all of the controls are thoroughly addressed, either by themselves or the provider. Providers, on the other hand, may need to provide documentation (for example in the form of an explanation on how they meet controls), initiate auditing efforts to provide evidence of implementation, or modify their environment to make sure they meet controls as the PCI virtualization guidance categorically links together scope for the hypervisor and the guest image which make whole environments to change together.
References:
1. PCI Compliance, www.ncircle.com/PCICompliance
2. PCI Compliance, http://www.accudatasystems.com/solutions/pages/pcicompliance.aspx
3. PCI Security Standards Council, https://www.pcisecuritystandards.org/
when you copy and paste do not forget to at least change the font.
ReplyDeleteSome research is done but it is hard to read as there is no flow as a result of resources copied and pasted.