As a participating organization in the PCI Security Standards Council, Ipswitch File Transfer has the opportunity to review documents and recommendations before they become public. That is the case with the “Securing Virtual Payment Systems” document currently under review.
While I cannot provide specific details or quotes from the document at this time, it is common knowledge (after being stated at the 2008 PCI Community Meeting) that the PCI Council has been trying to get its arms around the proliferation of virtual machines and cloud resources in PCI deployments for some time.
The direction the council seems headed in is to treat not only virtual machines (“guests”) but the hypervisor software that manage all virtual machines as IN SCOPE during PCI audits. If this comes to pass, this may have the following effects on the credit card processing industry (including many Ipswitch File Transfer customers).
- Users of Virtualization technology (including EMC VMware and Microsoft Hyper-V) may be encouraged to either segregate their PCI systems from non-PCI systems onto different physical VM platforms or bear an increased control and documentation burden on “mixed” PCI and non-PCI virtualized environments.
- Users of Virtualization technology will need to control and document their hypervisors as tightly as they control and document their operating systems.
As an accredited security auditor, I wholeheartedly agree with treating hypervisors as in scope and encourage the PCI Council to make this the final recommendation this year.
However, in terms of the direction the PCI Council seems to be taking in the cloud space, I worry that cloud providers will not be provided the same latitude that existing third-party hosting providers are currently afforded in the later sections of PCI DSS 1.2.
While I cannot cite specific passages here, I believe that limiting the definition of a “private cloud” to equipment that must be entirely owned and controlled by an organization will unfairly exclude third-party cloud providers that would otherwise be able to demonstrate segregated processing.
But all in all, this document is an important step forward into evolving deployments for the PCI Council and I encourage all involved to complete the work to make it official.