« Cameron Haight's CCBOE - Cloud Computing Board of Exchange | Main | New EMA Research on V12N Management »

Eric Siebert - More on PCI and Virtualization

Eric Siebert has responded to the announcement that VMware will now participate in the PCI council that has responsibility for establishing the PCI-DSS standard.  He identifies four improvements which, in his opinion, would move the conversation and the use of virtualization within the PCI community to a level of viability needed to start addressing the more nuanced aspects.  The four suggestions:

  1. Include virtual hosts in the scope of the PCI-DSS standard.
  2. Clarify the "one-primary-function-per-server" dictum in the standard
  3. Expressly identify those security items and practices that are valid for BOTH virtual and physical hosts
  4. Start the process of addressing virtual networks, independent of the virtualized host issues.
None of these, on their face, seem unreasonable to me.  On the contrary, this seems to be a very thoughtful list, and without some of the drama that's accompanied the conversation.  A good place to start.  Vendors, PCI SSC and QSAs... please take note.

Adding virtualization to the PCI standard — Server Virtualization Blog

Earlier this month, I wrote about how the PCI standard was recently updated but still failed to take virtualization into account. Shortly after, VMware announced its participation in the PCI council to help address virtualization within the PCI data security standards. While this is certainly good news and will help tighten up the security standards around electronic credit card payments, the outcome of this announcement remains to be seen.  ...

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.