The PCI Security Standards Council today released new guidance to help merchants understand and mitigate the security risks of virtual environments. While virtualization offers great benefits such as cost reduction and infrastructure efficiency, it also comes with new risks. As more businesses adopt virtualization, it is essential to ensure those systems and services comply with PCI DSS.
The PCI DSS Virtualization Guidelines Information Supplement focuses on the different classes of virtualization, how virtualization and cloud computing differ, and how virtual environments should be deployed to comply with PCI DSS.
The paper addresses four principles of using virtualization and meeting PCI standards:
- If virtualization technologies are used in a cardholder data environment, PCI DSS requirements must be applied
- Virtualization technologies introduce new risks that may not be relevant to other technologies
- Businesses must perform thorough due diligence to identify and document their virtualized implementations, including all interactions with payment transaction processes
- Depending upon how virtualization is used and implemented, specific controls and procedures will vary for each environment.
When it comes to securing data in a virtualized environment there isn’t a one-size-fits all solution. And there will be some virtualized or cloud environments that will not be suitable for PCI data. However, the report provides several guidelines to minimize risk. The 12-part DSS standard that requires the use of firewalls, encryption, prohibition of direct public access to the Internet, system hardening, deploying antivirus, and two-factor authentication for remote access, logging, and intrusion-prevention systems, must all be applied in virtual and cloud environments.
Experts claim that it is possible to implement PCI compliance in a virtual environment; however, professional guidance and technology partnerships are essential to minimizing risks. A technology partner can perform a PCI gap assessment that addresses specific requirements for application, network, physical and database compliance.
Ignoring PCI compliance is not an option. Businesses that do not comply with the PCI DSS mandate that businesses proactively protect customer credit card data risk facing penalties such as fines, increased transaction fees, or losing the right to access a payment card network’s resources. As a trusted IT partner, ACE IT Solutions helps businesses reduce compliance risk, lower vulnerability and streamline their security processes. As part of our methodology, we perform a customized PCI gap assessment to determine our client’s current compliance level and outline the specific steps required to achieve PCI compliance – including virtual and cloud environments.
For more information, visit the PCI Security Standards Council website.