The real problem is in defining what is "in-scope" and "out-of-scope", and avoiding "mixed-mode". This document ( https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf) provides a pretty good read of the suggested rules of the road for virtualization, but I'm not aware of a similar doc covering cloud. Things like network typologies can mess stuff up quite quickly, and its probably best to involve the customer's PCI QSA in the design. A couple months back I was asked to comment on a pure XenServer environment for mixed-mode operations and the customer accepted solution required both VLANs and OVS policy definition to secure cardholder data and meet the QSA goals. Read that as "it's quite complicated and prone to opinions rather than hard standards"
-tim On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen <[email protected]>wrote: > > On Apr 22, 2014, at 5:52 AM, Uwe Kastens <[email protected]> wrote: > > > Hi there, > > > > > > That would be interesting for me as well > > > > Kind Regards > > > > Uwe > > > > > > > > 2014-04-21 19:31 GMT+02:00 Upendra Moturi <[email protected] > >: > > > >> Hello Team, > >> > >> Has anyone worked on making cloudstack PCI compliant. > >> Can you please point me some documentation. > >> > > Haven't worked on it and over my head, but that's a big question. I > actually asked a friend on twitter :) > The answer was interesting "CloudStack can facilitate PCI compliance but > not *be* PCI compliant" > > -sebastien > >
