By: James D. Brown, CTO at StillSecure

As you may have heard, the PCI Security Standards Council recently released its PCI DSS Cloud Computing Guidelines Information Supplement. The supplement is intended to serve as a guide for businesses looking to choose solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.

The supplement provides a roadmap around cloud and how it interacts with PCI, as it outlines very clearly who has responsibility for securing payment card data in cloud environments.

Most importantly, this guide makes it clear that it is no longer just about physical security; when you have a virtualized environment, there are different attack vectors that can be taken advantage of via the hypervisor. This is similar to having physical access to a machine in a physical environment. Hypervisors enable introspection, the ability to look into cloud instances that are running, which means they provide a means of monitoring activities unbeknownst to the instance and any malware that may be running on it. A hypervisor also provides access to multiple virtual machines from a single login. In contrast, a physical host console provides access to only a single virtual machine. That ability to access many devices at once must be protected to prevent unauthorized access to cardholder data environments.

It is also key to make sure that devices are segmented in a shared work environment. Sharing memory and space needs to be isolated to ensure that it is kept completely separate from other environments. This guide formally states the need for isolation in the cloud and that merchants, vendors and auditors should pay particular attention to this in order to keep cardholder data secure.

Because of the fact that your data may physically reside anywhere in the world, cloud service providers will have to be clearer about where data is stored, especially across international borders. This has a serious impact on the ownership of the data and the ability to move data.

This may lead you to ask, who takes the blame if you process credit card payments with a vendor and the information is hacked? The guide clearly spells out that is the merchant’s responsibility to verify that a provider is secure and compliant. This means that a merchant needs to pay an auditor to verify the cloud’s level of compliance. To me as a merchant, the difference between using a PCI compliant vendor and doing it on your own is this security audit.  While the overall responsibility always rests with the merchant in the end, it makes it much easier to navigate through the auditing process with a PCI compliant vendor.

Overall, these new requirements are a step in the right direction to regulate the industry and despite the risks will help to drive cloud adoption faster.