PCI DSS compliance validation of different levels of merchants in a multi-tenant private cloud

  • Author(s) / Creator(s)
  • Payment Card Industry Data Security Standard (PCI DSS) compliance validation is an integral part of a security program used by credit card brands to enhance payment security through assessment of compliance to the PCI DSS. On the other hand, the introduction of virtualization technology as part of cardholder data environment (CDE) system components allows merchants to maximize their return on investment through deployment of Virtual Machines (VMs) as part of their CDE. At the same time, different levels (1-4) of merchants can now share same private cloud for the deployment of their CDEs. This paper will examine the assessment method applicable to the varying levels of merchants using the private cloud for compliance validation to PCI DSS. Using Visa card as a case study, we will show that the use of a mix of Self-Assessment Questionnaire (SAQ) methods by level 2-4 merchants (i.e. small merchants) and Qualified Security Assessment (QSA) by level 1 merchants (i.e. big merchants) for assessment can introduce vulnerabilities that may impact the security of cardholder data stored in the private cloud. We will explore the risk assessment process in the PCI SSC Virtualization Guidelines to describe the impact of using the two different assessment methods by merchants sharing the same infrastructure.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International