Building on its reputation as one of the first firms to promote and provide data security in the cloud, Catbird Networks Inc. has published a Payment Card Industry Data Security Standards compliance guide for organizations moving to virtualization of payment processing.
The Catbird PCI Solution Guide, co-published with cloud software provider VMware Inc., is an auditor-reviewed reference to help organizations interpret updated PCI DSS requirements as they relate to cloud-based systems, says Tamar Newberger, vice president of marketing at Scotts Valley, Calif.-based Catbird.
“When processors started virtualizing data to big data centers, they realized that current PCI guidelines were a little fuzzy about being compliant when you made that conversion,” Newberger says.
Virtualization technology enables smaller companies to convert data systems to a private cloud, or off-site server, and several larger companies to place data on the same public cloud, Newberger says.
When PCI-certified qualified security assessors began informing long-compliant companies they were no longer compliant after converting to a cloud-based system, the industry call came out for more guidance from the council and, in turn, from vendors such as Catbird. Thus, PCI established new guidelines earlier this year—in addition to recent requirements for mobile data security—and Catbird last week released what amounts to a step-by-step supporting document.
“It’s an important guide for a QSA because it addresses a complicated new area of PCI compliance,” Newberger says.
Retailers want to learn more as well because they increasingly want the payment data off of their systems in a secure storage setting, she adds.
“The IT security teams of payments processors will be combing through these documents as well,” Newberger says of the 120-page guide.
Security became more complicated after the definition of cloud advanced from safe storage on an off-site server to vendors providing numerous services through the cloud, such as software-as-a-service, Newberger says. “All aspects of those services and the data have to be PCI compliant,” she adds.
Payments systems in the cloud and mobile payments have created most of the industry buzz in the past year, though that buzz has not translated to a significant movement by businesses to convert systems to a cloud, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
“It’s usually the vendors talking about cloud and mobile, but the banks, for example, have been much slower to adopt, preferring instead to proceed at their own comfort level,” McNelley says. “They tend to take a measured wait-and-see approach because there is a lot of reputational risk involved.”
Still, it helps the industry when companies such as Catbird provide compliance road maps, McNelley says.
“Taking payment card data away from merchant point-of-sale terminals and systems and bringing it to the cloud environment is a great use of the cloud,” she adds.
Catbird says its vSecurity product is an example of software that addresses many PCI requirement areas for virtual machines, network attributes and the “switch fabric,” or getting data moved over to a virtual infrastructure.
Newberger says Catbird and VMware wanted to create a manual for security professionals and auditors “to make sure you are doing it right” in regards to all aspects of cloud conversion from the firewalls to network access.
VMware views the guide as an “objection handler” to help organizations comply if PCI or the card networks object to the lack of security in certain facets of a system, Newberger says.
The guide “eliminates ambiguity” and serves as a document to help businesses “stay one foot ahead of the hackers,” she adds.