Earlier this month, the PCI Security Standards Council (SSC) added guidelines around PCI DSS for regulatory compliance for virtualized environments that also applied to data stored in the cloud. The move represented a significant shift that addressed growing security concerns created by burgeoning IT trends, experts say.

“Over the last couple of years, we’ve seen a huge adoption of virtualization inside the enterprise, and more recently, a surge of interest in the public cloud,” said Chad Loder, vice president of security solutions for Rapid7. “This is causing many questions for PCI assessors about how the PCI standards should be interpreted in these environments. However, the basic principles of PCI are still the same, regardless of where your systems are located.”

The updated PCI DSS, known as PCI DSS 2.0, addresses virtualization by mentioning that virtual machines (VMs) can compliantly handle credit card data -- as long as each VM is used for a single purpose and keeps the data separate from the rest of the IT infrastructure.

Above all, PCI 2.0 stipulates that if virtualization technologies are used in a cardholder data environment, all PCI DSS mandates are applicable to those virtualization technologies.

The supplemented PCI also acknowledges that virtualization technology introduces new risks that must be taken into consideration and assessed when moving cardholder data to virtual environments, and also states that because virtual technologies can vary greatly, organizations will be required to perform thorough data discovery to identify sensitive data used in payment card transaction processes.

In addition, the revised PCI maintains that there is no one-size-fits-all method or solution to apply the PCI guidelines to adhere to virtualized environment and that specific controls and polices will vary for each environment, depending on how virtualization is used and implemented.

While the new virtualization guidelines paint a clearer picture of compliance for relevent IT trends, security experts say that they also could potentially create more confusion stemming from an array of interpretations.

But some industry experts said the new virtualization guidelines will make PCI compliance easier for users migrating data to virtual or private cloud environments.

“The new guidelines solve -- as opposed to create -- challenges,” said PCI expert Anton Chuvakin. “Additional council guidance solves the challenges of implementing PCI DSS controls and also assessing and scoping PCI compliance in virtual, and to a small extent, cloud environments.”

One qualified security assessor (QSA) echoes that the the new guidelines clears up a lot of confusion for customers, who previously had to guess at what activities were within the scope of compliance in virtual and cloud environments.

“Up until this point, many QSAs were either relying on vendor-driven best practices or only reviewing virtual machine configuration or physical security associated with a cloud environment,” said Nick Puetz, director of PCI compliance for FishNet Security, a Kansas City, Mo.-based solution provider. “The new guidelines go a long way in helping establish what is in-scope and which high-level controls need to be in place.”

Virtualization Guidelines In PCI Opens Up Compliance Conversations Puetz said that one of the biggest challenges would be getting the word out to customers moving data to cloud or virtualized environments. As such, the new virtualization-specific additions in PCI could mean opportunities to open new conversations with virtualization and cloud customers about compliance.

“Many clients do not understand these guidelines, mostly because they are very new and clients have not had an opportunity to read and absorb the new content or talk to their QSA’s about the new content,” he said. “Having quarterly meetings with your QSA can go a long way in keeping lines of communication open so both sides stay up to date on any changes or new happenings.”

However, other experts maintain that the vaguely worded guidelines will almost certainly present new challenges for organizations as they apply their own interpretation to the rules.

For example, Loder pointed out that the new guidance affects not only a hypervisor but potentially all the other VMs running on that hypervisor when a VM is in scope for PCI.

“Depending on how this is interpreted, this could cause a significant expansion in the scope of the cardholder data environment in organizations,” Loder said.

Ruth Xovox, chief compliance officer for PCI QSA firm ExoIS, said that challenges regarding compliance in cloud and virtual environments will likely be compounded due to the fact that many organizations continuously fail to be PCI compliant in their physical environment.

“When you’re outsourcing, it’s difficult to know what being compliant means,” Xovox said. “If you’re not compliant in your own environment, the risk increases. Typically people are not doing a lot of things they should, leaving data unencrypted, not reviewing logs, etc. (Cloud environments) become more tricky because you have less control.”

If anything, experts say, the virtualization addendum to PCI simply emphasizes that users are still required to adhere to all the same principles of the data security standard, regardless of whether their data is stored on physical, virtual or cloud environments.

During a June 10 “PCI In The Cloud” panel in San Jose, Calif., sponsored by Rapid7 and ExoIS, Eduardo Perez, head of global payment system risk for Visa, advised users to eliminate or avoid storing cardholder data wherever possible, unless there’s a viable business need to do so.

“Do you need that cardholder data?” Perez said. “The takeaway is that if you can’t eliminate it, then truncate it.”

Experts also underscore that users going to either the public or private cloud should take steps to ensure their provider is PCI compliant, and be proactive about understanding how the provider conducts risk prioritization.

“Most clients are only as aware as the cloud company is,” Puetz said. “If a cloud company advertises their services as being compliant or secure, most clients are going to take their word for it, rather than investigating this claim independently. The best advice I can give to clients is ‘trust, but verify’ the claims of any cloud service provider.”

What is PCI DSS?

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that serve those who work with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.

Payment Card Processing and Security Policy – Establishes a campus wide requirement for campus merchants to meet and maintain compliance requirements established in the PCI DSS.

Payment Card Privacy Statement – Explains UAB’s intent to securely maintain the privacy of all payment card customers.

PCI Entity Account Request Form – The Office of the CFO is the UAB focal point for handling the PCI Entity approval and registration process. In order to be granted payment card processing authorization, UAB PCI Entities must complete the approval and registration process with the Office of the CFO, which includes requesting and completing a PCI Entity Payment Card Account Request Form. A valid business reason is required for approval to move forward in the process.

In order to complete the payment card account request and be issued a merchant account ID, Entities must complete the following steps:

1. Obtain approval signatures on the request form by the Department Head and the Dean or Associate Vice President.
2. Obtain approval from the Office of the CFO.
3. PCI Entity to complete SAQ (Self-Assessment Questionnaire), Business Process and other required PCI documentation.
4. PCI Entity Account Request Form

For questions relating to how to complete the requirements outlined above, refer to The PCI Entity Handbook or call (205) 934-5121.

Overview

All Northwestern University departments that accept credit/debit card payments are considered merchant locations and must process those payments in a secure manner.  It is the responsibility of each merchant location to maintain compliance with the NU Merchant Card Processing Policy and the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC).

Treasury Operations is a central e-commerce administrator and compliance resource for Northwestern University merchant locations.  All Northwestern University merchant locations must participate in Northwestern University’s PCI training program and compliance initiatives.  Failure to fully participate may result in the merchant account being revoked.

Northwestern’s PCI DSS Compliance Program addresses requirements of the PCI SSC, including:

1. Security Awareness Education (required PCI DSS Security Training and Attestation)
2. Third Party Service Provider (TPSP) engagement
3. System Vulnerability Scans
4. System Penetration Testing
5. Periodic Reviews and Audits
6. Annual PCI SAQ (Self-Assessment Questionnaire)

(1) PCI DSS Security Training and Attestation

Per PCI DSS requirement 12.6, Northwestern University requires all Northwestern merchant location personnel interacting with the Cardholder Data Environment (CDE) in any manner (from the initial entry to the final reconciliation) to complete an annual training and attestation.  This mandatory requirement includes student employees, contractors and volunteers.

Employees and those with myHR access should complete training in myHR: (PCI DSS: Payment Card Data Security).

Volunteers and those without myHR access should complete this training at: https://sites.northwestern.edu/pcidss/

• Individuals who have not completed training and attestation are not permitted to process Cardholder Data (CHD) on behalf of Northwestern University interests.  Merchant locations using untrained or unattested individuals to process CHD may have their merchant account revoked.

Merchant location personnel should also read and understand the Northwestern PCI DSS Compliance Policy.

Treasury Operations may require individual or group participation in additional PCI security awareness education training as needed.

(2) Third Party Service Provider (TPSP) engagement

NU Merchant locations or their representatives, including vendors and other TPSPs, may not enter into legally binding agreements with TPSPs processing or handling any type of CHD (Cardholder Data), or interacting in any other way with the CDE (Cardholder Data Environment) without proper NU vetting and approval first; including but not limited to Treasury Operations, NU IT Security and Compliance, NU Office of General Counsel and NU Purchasing.  All agreements with TPSPs must have specific PCI DSS and liability shift language included.

(3) System Vulnerability Scans

Merchants with non-P2PE, on-campus payment systems connected to the Internet are required to run vulnerability scans against their systems. Northwestern University’s contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the Merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the Merchant location, as well as the entire University, falling out of compliance. Merchants with PCI-validated P2PE payment systems are not required to run scans.

(4) System Penetration Testing

Northwestern University is now a PCI Level 3 Merchant based upon exact card processing metrics, and NU Merchants with non-P2PE, on-campus payment systems connected to the Internet are now required to have internally conducted penetration testing performed at least quarterly. Since this service is not currently a part of their Trustwave contract, arrangements need to be made by e-Commerce Operations and NU IT Security and Compliance, coordinated with Merchant onsite Administrators and IT staff. Failure to cooperate with this mandatory requirement may result in your Merchant account being revoked. Merchants with PCI-validated P2PE payment systems are not required to run penetration tests.

(5) Periodic Reviews and Audits

Treasury Operations and Northwestern’s PCI DSS partners or consultants may perform periodic reviews or audits of merchant location operations to ensure that merchants comply with PCI DSS and the University's risk is reduced.  Failure to cooperate with such activities may result in merchant account usage being revoked.

Merchant locations should also routinely review their procedures and equipment, including physically inspecting card processing equipment to ensure devices have not been substituted or tampered. This Merchant Location Device Inspection Checklist can be used for your inspections.

Please contact ccard@northwestern.edu with questions or to request assistance.

(6) Annual PCI SAQ (Self- Assessment Questionnaire)

All Northwestern University merchant locations are required to validate PCI-DSS compliance at least annually by completing the appropriate SAQ in a timely manner. A questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:

• - payment processing system changes
• - a year has elapsed since your last SAQ
• - upon Treasury Operations request

The SAQ should be completed through the TrustKeeper Portal which is available in the CardConnect CardPointe gateway.

There are 8 types of SAQ. Treasury Operations or Arrow Payments can help determine which type is required for your merchant location environment:

Resources:

Editorial Note: They earn a commission from partner links on Forbes Advisor. Commissions do not affect their editors' opinions or evaluations.

Stand out in today's competitive job market.

Developed in collaboration with and led by industry professionals and subject matter experts, their rigorous training will equip you with the latest knowledge and best practices in your chosen field. Employers and industry leaders recognize the value of certified professionals, often offering increased career prospects and higher earning potential.

Editorial Note: They earn a commission from partner links on Forbes Advisor. Commissions do not affect their editors' opinions or evaluations.

As a licensed Professional Engineer, or PE, you can expect many more benefits when compared to other engineers; most employers offer higher salaries and greater opportunities for advancement to PE's. Only PE's can consult in private practice, and seal company documents to be sent to the government. PEs also have more credibility as expert witnesses in court than most engineers.

Steps in obtaining a PE license:

• Pass the Fundamentals of Engineering (FE) Exam.
• Graduate with a bachelor's degree from an ABET accredited engineering curriculum (all Engineering curricula at Michigan Tech except Robotics Engineering).
• Gain four years of engineering experience under the supervision of a registered professional engineer.
• Pass the Principles and Practice of Engineering (PE) Exam.

During your senior year you should take the Fundamentals of Engineering (FE) exam, which is required prior to sitting for the Professional Engineers (PE) Exam. Some requirements vary by state.

On top of increasing business expenses and shrinking lines of credit in a weak economy, many small businesses will face one additional pressure in 2009: looming compliance deadlines for Payment Card Industry Data Security Standard requirements.

For many SMBs, adhering to impending PCI DSS deadlines will require major changes to enhancing security infrastructure. That means spending more money on technologies and services such as security assessments, application firewalls, auditing and threat scanning.

Solution providers will need to find economic ways for budget-crunched small and midsize businesses to achieve compliance.

Comprised of 12 requirements, PCI DSS was implemented by credit card companies as a baseline security standard for any business -- ranging from enterprises to SMBs -- that accepts customer credit card data. Compliance deadlines for larger merchants have already passed, but now smaller merchants will get their turn. Credit card companies such as MasterCard and Visa have each set their own deadlines for small businesses to start meeting the various requirements of PCI DSS compliance throughout 2009, first for Tier 3 businesses -- merchants that process between 1 million and 6 million credit card transactions annually -- and then Tier 4 businesses, which include "all others."

Security VARs said that in general SMBs are more susceptible to becoming the victim of a security attack than their larger peers.

"The SMBs don't have a dedicated staff for security. They also don't have the budget to make the necessary protection needed," said Todd Leidner, vice president of operations for Intelek Technologies, based in Norman, Okla. "There are some that definitely know what's at stake. But then there are others who think that it's not going to happen to them, so why spend the money."

"I don't even think [PCI compliance] is entering their radar now, or not yet," said Leidner. "They're more focused on trying to stay in business than be compliant."

While compliance can be expensive, non-compliance could be even more costly. Organizations that fail to adhere to PCI mandates face financial penalties of up to $500,000 if data is lost or stolen and risk losing credit card processing rights. Meanwhile, a Jan. 2009 study by the Ponemon Institute found that the annual cost of a data breach averages to $202 per record and an average cost of more than $6.6 million per breach, the most significant portion (60 percent) of those costs due to loss of business.

Experts said that these days, companies -- even small ones -- are increasingly vulnerable to sophisticated malware attacks that are designed to steal sensitive identifying and financial information. In early January, a malware attack on credit card processing company Heartland Payment Systems resulted in the possible compromise of more than 100 million customer accounts, in what appears to be one of the largest data breaches in history.

Industry observers say that the Heartland breach is the tip of the iceberg because threat risks increase as more companies conduct massive layoffs and outsource IT functions to third parties such as contractors and consultants.

"A bad economy can lead to an increase in this sort of activity," said Thom VanHorn, vice president of global marketing for database security vendor Application Security. "More people are getting laid off. You have more disgruntled employees. It doesn't take many of those [employees] to perpetrate a breach that can result in harvesting information."

With IT budgets being slashed, upgrading security infrastructure for PCI compliance will be a costly challenge for many SMBs just struggling to stay in businesses, experts say. As a result, SMBs with limited IT resources and staff might be even more susceptible to security threats, industry observers said.

"If [SMBs] are having a tough time, then survival becomes more important," said Deven Bhatt, board member of the PCI Security Alliance, an organization based in Fremont, Calif. that aims to help merchants and financial institutions achieve PCI compliance. "They may not have security departments and they may not have as much cash. They're not as much a target, but they can be easy to break into also."

Next: SMBs Look For Cost-Effective Security

One of the biggest hurdles for SMBs will be to find ways to fund costly -- but necessary -- security solutions. Mandatory PCI requirements such as application layer firewalls and two-factor authentication come with price tags that are out of reach for many small businesses, solution providers said.

"Application firewalls -- those are extremely expensive, especially for the small and medium businesses," said Allen Allison, vice president of managed services for managed security service provider NaviSite, based in Andover, Mass. "That's one of the things that's going to be a big fear."

As one answer to providing SMBs with both quality and cost-effective security, NaviSite offers several hosted offerings and professional services to help smaller customers to achieve PCI compliance objectives, Allison said.

Meanwhile, Allison said that as Tier 3 and Tier 4 PCI deadlines approach later this year, SMBs will increasingly invest in all-in-one security suites -- security products incorporating multiple functionality.

"In order to be PCI-certified, they have to have it all," said Allison. "In many cases you can put in place solutions that accomplish multiple things -- log aggregation and correlation, authentication requests -- those are the things that most people should focus on. The stone that could kill multiple birds."

Another challenge that SMBs face in achieving PCI compliance is the ability to determine exactly what their security infrastructure needs -- a problem due, in part, to the subjective nature of the requirements, industry observers said.

"There will be people who will implement it well and people who implement it to check it off," Application Security's VanHorn said. "They assume that compliance equals security. They look at the 12 requirements and figure once they did that, than they can kick back and have cocktails on the veranda because 'they're secure.'"

However, experts say that because PCI adherence is mandatory, "nice-to-have" IT purchases might go by the wayside to make room for essential PCI upgrades. For many SMBs, the first step in becoming PCI compliant is to complete a comprehensive assessment of their infrastructure, especially the pieces that house valuable data. Solution providers said SMBs will need to invest in assessments to determine where their sensitive data lives, and then prioritize the most important data in terms of risk and delete the unnecessary data that's eating bandwidth and compromising security. As a result, PCI will likely open up opportunities for the channel to embark on or expand numerous assessment and remediation services, which they can specifically tailor to their smaller customers.

"Find out where all the sensitive information is in your environment, then get rid of it. You reduce the risk so much," said PCI Security Alliance's Bhatt said. "If you don't store it, then you don't have to worry about it."

Also because PCI standards require all companies to scan for threats, solution providers will find additional opportunities in scanning services, as well as auditing and reporting services to prove PCI compliance.

"If you're a Level 1 [merchant], you have a structured IT department," said Cheryl Traverse, CEO of San Jose, Calif.-based Xceedium, a security vendor specializing in entitlement management security products. "The [Level] 2s and [Level] 3s really don't have this, they don't have the expertise to do this. They need to work with the reseller and manufacturer who have the expertise and can show them the way."