During the ramp up to PCI DSS version 2.0--that is the Payment Card Industry Data Security Standards most recent release--there were some well-known big issues, like end-to-end encryption, for which people wanted guidance. Virtualization was at the top of that list.

While PCI DSS 2.0 has cleared up some cloud issues, there is a lot left to be determined. And many think the council will issue some watershed guidance in 2011.

Still, the most recent standard, issued last month, clarified that servers used for a single purpose can be virtualized, "provided there is adequate segmentation to prevent PCI data from intermingling with other enterprise data."

The bottom line is that the use of cloud-facilitated PCI DSS-compliant credit card transactions is legitimate. But is it practical? In many cases, the answer is not yet.

One expert tells SearchSecurity.com that getting PCI compliant on public clouds "is technically possible but difficult in practice." Large merchants may have the resources to do this. But smaller companies may be challenged to write the custom code and build the specific solutions that make it possible.

So, the best bet now for many companies may be to wait until the cloud providers, public and hybrid, come up to speed on the compliance aspects. One group has taken a stab at coming up with a reasonable architecture for how this might work. So, it appears that PCI-DSS cloud compliance is just now becoming a reality--which puts massive adoption sometime in the future.

For more:
- here's the article

Related Articles:
Growing pains for the PCI-DSS
Will critics be satisfied with PCI-DSS 2.0?
Cloud security issues linger, but usage still soars
Tokens and encryption to save PCI-DSS?