Digital Transactions Authoritative, insightful and timely information for payments professionals
n
The PCI Security Standards Council on Tuesday released guidelines on how merchants, processors, card issuers, and tech companies should securely handle payment card data in light of the increasing “virtualization” of systems that transmit and process such data. Meanwhile, the Council is still grinding away on guidelines for mobile-payment security that it had hoped to have out by this month.
n
n
It takes many forms, but virtualization refers to the logical abstraction of computing resources from physical constraints, enabling multiple operating systems to run in parallel on one computer so that no individual operating system affects the others in any way, according to a backgrounder from UBM TechWeb’s Wall Street & Technology online publication. Virtualization can be applied to desktop computers, software, networks, and other systems, providing more efficient use of computing resources to save on both money and energy consumption.
n
n
“Virtualization really takes an entity and frees it from its physical boundaries and constraints,” says Kurt Roemer, chief security strategist at Citrix Systems Inc. and chairman of the PCI Council’s virtualization Special Interest Group (SIG). Fort Lauderdale, Fla.-based Citrix develops virtualization products for various computer environments.
n
n
In the payment card world, virtualization has especially taken hold in the past two to three years, says Julie Conroy McNelley, senior fraud and risk analyst at Boston-based Aite Group LLC. “There’s a wide variety of environments where card payments are going over nowadays,” she says. “A lot of organizations are looking to incorporate virtualization because it does provide cost efficiencies and other efficiencies.”
n
n
But just how virtualization and the Payment Card Industry data-security standard (PCI), the main data-protection rulebook by which merchant acquirers, processors, issuers and industry vendors must play, fit together isn’t quite clear. Version 2.0 of PCI, which the Council released last October, addresses virtualization a number of times, but does not go into great detail.
n
n
The new guidelines, officially called an information supplement, are an attempt to fill in those blanks, according to PCI Council general manager Bob Russo. “This supplement basically will tell you really everything you need to know before you deploy anything in a virtualized environment,” Russo tells Digital Transactions news. The Wakefield, Mass.-based Council administers and updates PCI and related standards for protecting card data.
n
n
While use of a virtual environment can actually increase the security of card data, it will not automatically mean the system is “out of scope,” or not subject to PCI, according to Russo. “All the same risks that exist in the physical world exist in the logical world,” says Troy Leach, PCI Council chief technology officer.
n
n
The virtualization guidelines were developed by the Council’s virtualization SIG, one of several such groups the organization oversees to address how PCI relates to major technological or operational issues. The 39-page supplement is not part of PCI version 2.0, but its precepts could find their way into PCI’s next update, according to Russo. More than 30 so-called participating organizations of vendors, merchants, processors, and others working with the PCI Council developed the guidelines. The guidelines do not endorse any particular technology or provider, Russo says.
n
n
Meanwhile, the Council needs more time to develop guidelines about how PCI relates to mobile payments. During the Electronic Transactions Association conference a month ago, Russo said he expected initial guidance to be issued within a couple of weeks. But now Russo says the first of what will be more than one part of the full set of guidelines will be out “probably within a month or so,” with more out by the fourth quarter. At that time, the Council also expects to have guidelines out for so-called point-to-point data encryption.
n
n
The explosive growth of mobile payments caused the PCI Council late last year to assess the software applications facilitating such payments and refuse to endorse new ones as meeting the Payment Application data-security standard (PA-DSS) until it could make a “comprehensive examination” of the security issues. It also delisted other applications that it had earlier deemed as meeting the PA-DSS. The delay in issuing the guidelines arises from the complexity of mobile-payment security and the multiplicity of companies with a stake in the issue, according to Russo. “There’s never a shortage of input … both internal and external,” he says. “We need to get everybody’s side to this story.”
