Today, with a nod to millions of merchants worldwide that accept credit card payments, VMware Inc. announced that...
it has joined the Payment Card Industry Security Standards Council (PCI SSC) to incorporate awareness of virtualization into forthcoming versions of PCI regulations.
With its entrance into PCI SSC, VMware hopes to address confusion about whether virtual environments comply with existing standards for data security."Right now, from an audit perspective, there is confusion around if someone wants to use virtualization, if it can be used in a PCI-compliant environment," said Bill Hau, the vice president of Foundstone Professional Services, a division of security vendor McAfee. Bringing PCI DSS into the virtual world
Founded by a core group of credit card merchants, including American Express, Discover, JCB International, MasterCard, and Visa, PCI SSC developed the PCI Data Security Standard (PCI DSS), which is a set of guidelines that participating merchants must follow to safeguard credit card data. As part of that group, VMware's plan "is to show how certain regulations might need to be adapted to take advantage of virtualization," said Shekar Ayyar, VMware vice president of infrastructure alliances.
More to the point, VMware partners said that they hoped VMware's presence in the credit card data standards group would help clarify a pressing question: Can virtualized environments be PCI compliant?According to Hau, "some security departments are saying no," which, presents problems for companies handling sensitive data while also striving for the benefits of virtualization. And in fact, some of the provisions in PCI DSS appear to be antithetical to virtualization. A central provision is regulation 2.2.1, for example, which directs merchants to "implement only one primary function per server." In traditional, nonvirtualized environments, regulation 2.2.1 is interpreted to mean running your Web server, application server, database server, etc., all on separate dedicated machines. But with virtualization, regulation 2.2.1 breaks down, since the hypervisor allows multiple systems to enjoy logical separation, even as they share the same underlying hardware, Hau explained. While many PCI auditors (known as qualified security assessors, or QSAs, in PCI-speak) will certify virtualized systems as compliant, not all do, said Dave Shackleford, a former QSA and the director of Configuresoft's Center for Policy and Compliance, the company's research and analysis arm. Right now, "it's left to the subjective guidance of an auditor as to whether they feel that the environment meets PCI compliance," Shackleford said. That lack of clarity "doesn't give you the full warm and fuzzies, that's for sure." Among merchants, auditors and security vendors, the hope is that future versions of PCI DSS will be more explicit about how to properly secure virtualized systems. As it stands, PCI DSS is remarkably devoid of references to virtualization, said Eric Siebert, a senior systems administrator at restaurant chain Boston Market Corp. of Golden, Colo. even though the standard was just updated this October. But with VMware's participation in the PCI group, Configuresoft's Shackleford said he thought the group would address virtualization over the next 12 months in the form of an addendum. "I don't think that they'll wait until 1.3," he said, noting that the gap between PCI DSS 1.1 and 1.2 was two years. "They're getting inundated by some of the biggest customers for guidance on this."