Over half of the companies surveyed by Trend Micro in May 2011 reported having cloud computing services being developed, implemented, or already in production.  The survey also reports that security concerns continue to be a primary reason companies are holding back their adoption of cloud computing. 

The security concerns related to virtual environments are heightened for companies in the payment card industry.  Those companies face a difficult task of adapting the Payment Card Data Security Standard (PCI DSS) developed for logical environments to virtual environments, like cloud computing environments.  The PCI Security Standards Council released guidelines on June 14, 2011 to help merchants, processors, card issuers, and service providers bridge that gap.

The PCI DSS Virtualization Guidelines Information Supplement provides:

  • Explanation of the classes of virtualization often seen in payment environments including virtualized operating systems, hardware/platforms and networks
  • Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each
  • Practical methods and concepts for deployment of virtualization in payment card environments
  • Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
  • Specific recommendations for mixed-mode and cloud computing environments
  • Guidance for understanding and assessing risk in virtual environments

The Appendix to the Supplement describes in detail how each of the 12 broad PCI DSS controls that are mandated for logical environments, need to be applied in a virtual setting.

For cloud computing, the Supplement identifies the extent to which enterprises are responsible for ensuring compliance and the extent to which cloud vendors are responding for ensuring the right controls are in place.  If companies choose to have their PCI workloads hosted on multi-tenant, public cloud infrastructures, those companies need to ensure that their cloud vendors have additional controls for protecting their data.  According to the Supplement, the challenges involved in protecting PCI data in a multi-tenant environment, “may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner.” “Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.”