Are you sure? I think that you may be mistaken. The bar is just set higher in a "virtualized environment"...
"In a public cloud environment, additional controls must be implemented to compensate for the
inherent risks and lack of visibility into the public cloud architecture. A public cloud environment
could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure
as a cardholder data environment. More stringent preventive, detective, and corrective controls
are required to offset the additional risk that a public cloud, or similar environment, could
introduce to an entity’s CDE.
These challenges may make it impossible for some cloud-based services to operate in a PCI
DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for
a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only
based on rigorous evidence of adequate controls."
Amazon getting a PCI compliance pass was a big deal. The last time I looked, you needed to be able to ensure secure access to the facility, enumerate who has physical access to the hardware and when, and things of that effect. And you need to be able prove all that in the event you're ever compromised.
> The last time I looked, you needed to be able to ensure secure access to the facility, enumerate who has physical access to the hardware and when, and things of that effect. And you need to be able prove all that in the event you're ever compromised.
None of that should be particularly difficult for a VPS provider as large as Linode.
"In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.
These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."
From: https://www.pcisecuritystandards.org/documents/Virtualizatio...
Amazon:
http://aws.amazon.com/security/