What can retailers, merchants and others who handle credit card data expect from the PCI SSC when they release PCI DSS 2.0 next month?
There are a great many criticisms levelled at the current PCI DSS, such as the fact that it is out of date as soon as it is published and in other areas lacks clarity in terms of what is required.
Many people are hoping that the updates will remove perceived subjective interpretations in the current system.
There are 3 major areas that cause particularly emotive reactions:
Currently section 2.2.1 of PCI DSS states that there can only be one function per server, but if the council means physical servers then this would mean banning virtualization. However, it could also mean virtual servers; and in that case merchants can use one physical server running separately, but use dedicated virtual servers. As yet the PCI SSC have yet to officially explain what is allowed, and how that all fits together.
You may ask how is such haziness in the standard currently clarified should retailers deploy virtualization? Those that do must assert to their Qualified Security Assessor (QSA) that each virtual machine is, in fact, a dedicated server. Unfortunately, in this case, the outcome boils down to the interpretation of the standard by their individual QSA.
Generally, the PCI DSS scope is defined as any system that stores or processes unencrypted credit card data. Yet while a business may separate all systems that store or process credit card data, they still may use a shared Active Directory, or perhaps a shared administrative LAN to manage other areas of their infrastructure as well as those systems dedicated to payments.
There’s nothing to say that the Active Directory or administrative LANs are in scope, but there’s nothing to say that they aren’t, either – it’s a grey area that continuously comes up.
At this time, with reference the use of ‘cloud’ technologies and services, it is ultimately the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner. As part of a merchant’s due diligence, merchants need to make sure they are dealing with someone reputable. The council will continue to rely on section 12.8, which governs the use of third-party providers, and states that the merchant must ensure that the provider is compliant to PCI DSS.
With the release of PCI DSS 2.0 next month, it is likely that there will be greater clarity and prescription on the areas of virtualization and scope. However, few expect any further detail on the use of a cloud within merchant’s infrastructures. That said there are a number of QSAs out there who feel there may be enough detail lent in the new standard to be able to assess the suitability of a cloud infrastructure.