« RDA Rocks! | Main | Eric Sloof - First Impressions of RDA 1.0 »

PCI DSS 1.2 and the On-going Conversation about Virtualization

While cruising through the feed-reader, I came upon Eric Sieberts recent post regarding the release of the Payment Card Industry’s Data Security Standard (PCI-DSS), version 1.2.  Eric notes that "... the specification dictates what must be done to secure a server that may store or process cardholder data, but if that server happened to be a virtual guest the host server would not be considered in the scope of the specification."  He then wonders (out loud) what could be the cause for this lack of attention (see quote below). 

This post reminded me of a conversation I had in August with Scott Loftesness of Glenbrook Partners, who arguably knows more about technology and the payment card industry than any five persons on the face of the planet.  He pointed me to this article as to why failure of PCI DSS 1.2 to address virtualization won't matter.  The author, David Taylor, is certainly no slacker.  He's the VP Data Security Strategies at Protegrity, as well as the founder of the PCI Knowledge Base, Research Director of the PCI Alliance, and a former E-Commerce & Security analyst with Gartner.  He takes a pragmatic approach, urging the reader to not wait for standards, and is pretty clear that he's a believer in the value of virtualization.  But there still seems to be some "buck passing."  He seems to be saying to the merchants who are subject to the PCI DSS standards:

  • You need to prove to prove to an assessor that virtualization is secure enough to pass PCI audits.
  • You need to cost-justify the amount of money required to do so.
  • You need to push on your application software vendors to warrant the security and functionality of their products in virtualized environments ... something they, apparently, are often unwilling to do.

To the first point, it seems to me that best practices, standards and compliance tools or other means by which assessors can address the issue with uniformity are necessary.  There are a number of security specifications for virtual hosts (one of which Eric Siebert references in his post), which, if adopted, would be a reasonably objective basis for the standards and best practices.

With these standards in place, there seems little reason why the application vendors could not address the issues of security with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves. 

This same tale is going to be told multiple times.  It's not just about PCI, but also will impact a standards and regulations like Sarbanes-Oxley, as well as (here it comes) the standards for data security and processing security in SaaS and IaaS environments ... Yes, I mean "cloud computing."  The PCI industry has a chance to do this right up front, without the buck passing.  I think I'm with Eric on this one.


Seems that while I was heads-down with Replicate's product launch, I missed Christofer Hoff's post on PCI, virtualization and clouds.  Once I get out from under, I'll get caught up and join the fray. 

Just to be clear -- I agree with most of the points that David Taylor has made, but to follow along with this reference to the OSI standards vs the TCP/IP development of standards ... what we're missing today is the moral equivalent of the TCP/IP definitions of best practice and standard.  If the PCI DSS folks won't step up to it, let's figure out who will.

PCI Data Security Standard updated, but still does not address virtualization — Server Virtualization Blog

I am puzzled as to why they would continue to ignore virtualization. After all, isn’t just about every company virtualizing in some fashion these days? Are the people that write the specification parameters just ignorant of what virtualization is, and that it has a direct impact on their regulations? Or are they just trusting that we are all securing our virtual hosts properly and there is no need to address them? If that’s the case then they have misplaced a critical amount of trust as I am sure there are a great many virtual environments that are not properly secured. Likewise, ignoring virtualization completely greatly reduces the effectiveness of their efforts to secure environments that deal with cardholder data. It’s essentially fortifying everything within a castle, but leaving the front gate open.

StorefrontBacktalk - Why PCI 1.2 Ignoring Virtualization Won't Matter

... The issue is more than just PCI compliance. It's about reliability, performance and data integrity. The point is that deciding whether to deploy virtualized servers broadly throughout the enterprise should not hinge on PCI compliance. Once the larger application and management issues are addressed to the satisfaction of the head of IT infrastructure, and the controls documentation is put in place, then PCI compliance becomes a minor issue by comparison.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.