The Payment Card Industry (PCI) Council has set up a task force to examine cloud computing services to figure out what unique exposure credit card data faces if businesses store card information with a cloud provider.
The council, which has issued data security standards that businesses that process credit card transactions must follow in order to be PCI compliant, is looking more closely at cloud computing because its members are using the technology more.
“As a result, the Council is evaluating various options to address more formally, with our participating organisations, how cloud computing applies to the current requirements of the PCI Data Security Standard and where we take the DSS in the future,” the council says in an e-mail reply to questions about its plans.
The PCI council has ongoing revision cycles of its standard in order to keep personally identifiable data as private as possible and minimise the number of data breaches.
The council is also taking a closer look at virtualisation as a possible threat vector that should be separately addressed by the standard, although the council says the current standard might cover it.
“Cloud computing and virtualisation are important issues to our members. We are seeing a rise in the use of virtual servers in the marketplace and by our participating organisations,” the council said.
“The council tries to maintain a technology-neutral approach and address specifically the risk associated with the cardholder data environment. We are currently evaluating whether the current requirements of version 1.2 of the PCI Data Security Standard mitigate emerging threats and vulnerabilities related to virtual components. The council hopes to provide clarity on the topic later this year.”