As Companies Approach the January 1, 2012 PCI DSS 2.0 Compliance Deadline, a New Information Supplement Provides Guidance on the Scoping, Controls Necessary and Testing Procedures for Virtual Environments.
This post was also written by Chris Cwalina, Dan Herbst and Amy Mushahwar.
On Tuesday, June 14, the PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI-DSS), released a comprehensive set of guidelines for PCI compliance in virtual card holder data environments. The Council’s 39-page guidance document (available at https://www.pcisecuritystandards.org/security_standards/documents.php) describes in detail how each of the 12 PCI security control objectives within logical environments should be applied in a virtual setting. The document – which was over two years in the making – provides clearer guidance regarding how organizations can deploy virtualized environments in a secure fashion.
As background, before virtualization technologies, the standard computing model was one computer to one operating system with that computer’s associated applications and resources. Virtualization technologies enable IT teams to combine or divide computing resources to unify many computing systems into one operating environment or to partition one server into several virtual machines. Virtualization technologies undergird important applications over a wide range of areas such as, virtual test environments, server consolidation, multiple operating system support, system migration, cloud computing and so on. Given the variety of virtualization flavors and applications, the Council in its guidance recognized there is “no one-size-fits-all method or solution to configure virtualized environments[.]”