虚拟化环境下支付卡业务系统的PCI DSS合规性检测机制研究

【作者】 周宇；

【导师】 吴承荣；

【作者基本信息】 复旦大学 ， 计算机应用技术， 2013， 硕士

【摘要】 近年来,由于在提高资源利用率、降低成本等方面的优势,虚拟化技术发展迅速,也推动了云计算的快速发展。越来越多的企业和组织开始将信息系统建设在虚拟化平台上,或者将原有的传统信息系统迁移至虚拟化平台上。这其中就包括一些金融机构,他们开始在虚拟化环境下建设支付卡业务系统。虚拟化在为我们带来便利的同时,也带来了一些新的安全风险。PCI DSS是支付卡安全标准委员会制定的旨在保护持卡人数据的安全标准,如何在虚拟化环境下使支付卡业务系统满足PCI DSS的要求并通过适当的检测机制证明系统的合规性成了亟待解决的问题,否则虚拟化在节约成本和提高效率方面的优势就变得不再有意义。本文通过解读PCI DSS的详细安全要求,并参考PCI虚拟化指南,分析了虚拟化技术对PCI DSS各要求的影响；介绍了目前一些组织为了在虚拟化环境下满足PCI DSS合规性所采取的一些安全措施；研究了能用于合规性检测的相关技术；在此基础上,针对PCI DSS某几条特定的安全要求条款,设计了两个自动化的检测机制来判断支付卡业务系统当前是否满足这几条条款的要求。其减少了PCI DSS合规性检测过程中的人工操作,提高了检测的效率和准确率；同时对不满足条款的不合规行为进行告警,增强了系统的安全性,更好地保护持卡人数据。更多还原

【Abstract】 In recent years, virtualization technology and cloud computing are developing rapidly due to the advantages in improving resource utilization and reducing costs. More and more organizations start to construct their information systems on a virtualized platform, or migrate the original information systems to a virtualized platform. Especially, some financial institutions build the payment card systems in virtualized environment. On the other hand, virtualization also brings some new security risks. As a security standard designed to protect cardholder databy Payment Card Industry Security Standard Council, PCI DSS is influenced seriously by virtualization. So how to meet the requirements of the PCI DSSand prove compliance through appropriate detection mechanismsneed to be solved. Otherwise, the cost savings and efficiencies promised by virtualized infrastructure may be erased by increased security risk and huge efforts that must be put toward achieving and proving compliance.In this paper, I read the security requirements of PCI DSS and refer to the PCI DSS virtualization guidelines. Then I analyze the effects on PCI DSS because of the utilization of virtualization technology inpayment card system and introduce some security measures proposed in order to meet PCI DSS compliance in virtualized environment. I also do some researches on related technologies that can be used for compliance testing Based on these works, I design two automated detection means to prove that if the system meets the specific items of the PCI DSS currently. It reduces the manual testing work and improve the efficiency and accuracy of compliance detection. At the same time, it helps the organizations to find out the non-compliant operations in time, enhance the security of the system and protect the cardholder data much better更多还原