May 20, 2009, 11:45 AM — Cloud security is enough of a potential problem that it’s being investigated by the group that sets standards for protecting credit card data.
The Payment Card Industry (PCI) Council has set up a task force to examine cloud computing services to figure out what unique exposure credit card data faces if stores, restaurants, hotels and the like relegate their card information to a provider.
The council, which has issued data security standards that businesses that process credit card transactions must follow in order to be PCI compliant, is looking more closely at cloud computing because its members are using the technology more. “As a result, the Council is evaluating various options to address more formally, with our participating organizations, how cloud computing applies to the current requirements of the PCI Data Security Standard and where we take the DSS in the future,” the council says in an e-mail reply to questions about its plans.
The PCI council has ongoing revision cycles of its standard in order to keep personally identifiable data as private as possible and minimize the number of data breaches. The council is also taking a closer look at virtualization as a possible threat vector that should be separately addressed by the standard, although the council says the current standard might cover it.
“Cloud computing and virtualization are important issues to our members. We are seeing a rise in the use of virtual servers in the marketplace and by our participating organizations,” the council says in a written statement.
“The council tries to maintain a technology-neutral approach and address specifically the risk associated with the cardholder data environment. We are currently evaluating whether the current requirements of version 1.2 of the PCI Data Security Standard mitigate emerging threats and vulnerabilities related to virtual components. The council hopes to provide clarity on the topic later this year.”