In an interview with Infosecurity, Bruton noted that PCI DSS version 2.0, issued last October, addresses virtualization and cloud security for the first time.
Bruton stressed that companies should take a look at a cloud provider’s PCI report on compliance to determine whether they are in fact compliant with PCI DSS standards.
“The report on compliance is important to have…[because] if you are not getting a PCI compliance report from your vendor, you’re not going to know which of the areas you can depend upon them for compliance, or which ones are being left on your shoulders”, he said.
Bruton said that many cloud vendors only address issues such as physical security and basic network security in their compliance report and “leave a large portion of control requirements on their customers to handle, which can be costly for the customers to implement.”
In addition, more and more companies are turning to PCI DSS to ensure that they meet information security requirements contained in laws such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates health information privacy and security; the Graham-Leach-Bliley Act (GLBA), which includes financial privacy and security rules; and the Sarbanes-Oxley Act (SOX), which includes requirements for internal controls over corporate data.
“Most of the government regulatory security controls don’t have specific requirements of how to configure IT systems to be secure. Part of the reason for that is they don’t want to have to update the laws to keep up with technology”, Bruton explained.
Bruton said that PCI has been widely accepted as a solid security standard. "A lot of people are familiar with it. It is comprehensive in terms of the areas that it dictates security controls for. Our clients have had a lot of success communicating to their auditors and end users about applications that handle health care data referencing the PCI standard”, he related.
“While PCI DSS is a private standard developed by the card brands, it is ubiquitous in terms of people recognizing what it is. It is very comprehensive and a lot of people have been using it to communicate to their customers and end users that they have met a reasonable standard of security even if credit cards don’t apply”, Bruton concluded.