Virtualization, Cloud Computing and the PCI DSS

How do virtualization and cloud usage affect compliance with PCI? QSAs Ben Rothke and David Mundhenk provide practical advice.

1 2 3 Page 3
Page 3 of 3
  1. Entities that are required to be PCI compliant for the most part understand the benefits of cloud computing, but often don't consider the risks of cloud-based services. Therefore, step one is to perform a risk assessment. As per PCI, this is required—PCI requirement 12.1.2.
  2. As part of the cloud risk assessment, define acceptable use cases.
  3. Take a look at the entire cloud architecture and ensure that the design has adequate security built-in. There are many things to analyze, including the nature of the architecture in addition to trust boundaries, administrative controls and more.
  4. Cloud provider policy and procedures review—the cloud provider should be willing to share with you the policies and procedures they follow to secure your data. Make sure those policies and procedures align with your requirements.
  5. Detail any compensating controls before allowing PCI data to be shared.
  6. Establish a qualitative professional relationship with your cloud provider. Many of the larger cloud providers have excellent security resources (both documentation and staff members) available. Make sure you use them to their fullest.
  7. Fully understand how the cloud provider will secure your critical data and see their architecture for how they will execute on that.
  8. Ensure that the cloud provider has effective administrative access controls and a formalized set of detailed and comprehensive processes.
  9. Since administrative access is out of your control, you need strong contract language including SLAs and validation that the vendor is capable of applying all appropriate PCI controls.
  10. Negotiate the ability to have read-only access to system monitoring. While this is rarely done, it can make all the difference in cooperative ownership of security and uptime monitoring.
  11. Fully detail compliance status reporting provisions.
  12. Ensure that the cloud security provider is compliant with PCI requirement 9—Restrict physical access to cardholder data. The cloud provider should have undergone a physical security site review. They should share the report with you and should also agree to a physical security inspection of their data center. In the event they refuse to, look for another cloud provider. The bottom line is that at the heart of any cloud is a well secured and managed data center.
  13. Patch management—PCI requirement 6.1 requires that all system components and software have the latest vendor-supplied security patches installed. Your cloud provider should be more than happy to provide you with their processes around patch management. In the event they refuse to, look for another cloud provider.

Finally, if your cloud provider is outside of the United States or is U.S.-based but they "off-shores" their resources, you certainly want to make sure they understand what their obligations are regarding requirements in the U.S. In some countries, (e.g., China), data protection laws can be sparse and offer you little legal protection.

While the use of cloud computing may appear to ease economic and regulatory burden, it is imperative that organizations understand that storing data in the cloud does not in any way relieve them of their legal and regulatory obligations. The bottom line is that nearly everything can be outsourced, but an enterprise can never outsource liability.


As hot as cloud security and virtualization are, so are the challenges for making them PCI complaint. Nonetheless, cloud security and virtualization PCI DSS compliance is possible. But like every other aspect of information security, it requires attention to detail, strong requirements, formal processes and a documented architecture.

For those who follow the directive of this article, it is hoped that their use of cloud security and virtualization is easy, and PCI DSS compliant.

Ben Rothke CISSP, QSA ( is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education) and a founding member of the Cloud Security Alliance.

David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP ( is a Security Consultant with a major professional services firm.

Copyright © 2010 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!