This is page 2 of:
PCI Council: Don’t Go Mixed-Mode In Virtualization
This being PCI, the guidelines then go on to explain what’s required if a merchant decides to try mixing in-scope and out-of-scope components on the same hardware anyway—drilling down to the controls required for out-of-band communication channels and virtual storage. But it’s clear, from the point of view of these recommendations, that’s the wrong way to go.
The guidelines take the same harder-than-usual line on cloud computing services. After laying out how hard it is to make sure an in-scope application in the cloud is secure, the guidelines said: “These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.”
How heavily? “The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer’s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ‘in place’ and ‘not in place’; and confirmation of when the assessment was conducted,” the clarification said.
Admittedly, it’s a little easier for PCI guidelines to avoid waffling when it comes to virtualization. This is largely a matter of reshuffling applications to consolidate existing hardware, and all the old PCI rules about securing and isolating in-scope systems are already in place. So are the lists of PCI-compliant applications.
That means the working group could focus just on the new layer of technology—technology that, in the case of virtualization, has been in use in many datacenters for years. That practical experience translates into PCI recommendations that, for once, are clean and clear. You can actually hand the guidelines to datacenter operations people and they’ll have a prayer of understanding them.
Enjoy those very specific (and very helpful) recommendations while you can. An upcoming major set of PCI guidelines for a hot new technology will be those for mobile payments—an area that involves new applications, technology that’s in the hands of users and almost impossible to control, and a widespread lack of consistent understanding of how to make it secure for payments.
When those recommendations arrive next year, you’ll need all the help you can get.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
