In recent years, the technology of virtualization and cloud computing has received rapid development, and many organizations and enterprises have begun to apply the virtualization technology to the construction of information system of their own. The Security Standard Committee of Payment Card Industry (PCI) points out in a new edition v2.0 of Data Security Standard (DSS) in 2010 that “a system assembly components for evaluating PCI DSS compliance comprises all the virtualized assemblies”, and the explicit wording of “virtualization” has also appeared under item 2.2.1. These updates have made it clear that the virtualization technology can be used in a Cardholder Data Environment (CDE). The virtualization board of the committee has also issued a PCI DSS virtualization guideline, which also provides basis for using virtualization technology in the construction of payment applications.
Payment applications provide the cardholder with various means of payment service. Since the transmission content of business data thereof relates to sensitive information such as bank card number and password of the user, etc., the security of payment applications becomes very important for users. In order to reduce the possibility of data leakage as much as possible, the entities such as merchants and bill-to party or the like which execute payment applications must execute a security auditing program of PCI so as to ensure compliance with demands of PCI DSS, i.e., executing compliance detection. According to relevant laws and regulations and industrial standards, the compliance detecting method in a new environment (especially a virtualized environment) is studied so as to help enterprises or entities in finding currently existing non-compliance state timely, thus ensuring the security of payment applications in a virtualized environment and better protecting data security of cardholder.
However, existing compliance detecting methods are mainly designed for conventional information system architectures, and a virtualization assembly is not considered in the system assembly; with the rapid development of virtualization technology, a plurality of virtual machines can be installed on the same one physical machine, which, at the same time of improving utilization of resources, also brings about a new security risk, thus having a corresponding influence on the compliance of PCI DSS. The isolation demand of PCI DSS mainly requires a configuration of firewall and router so as to restrict a connection between a non-trusted network and a system assembly of cardholder data environment. Due to the complexity of virtualized environment, a virtual network connection may exist between host computers or in the interior of host computer so that a communication between virtual machines in a cardholder data environment may not be conducted via the physical network at all; moreover, the boundary between a trust network and a non-trusted network may be varied dynamically. Therefore, the existing compliance detecting methods may be no longer appropriate to a virtualized environment.