June 20, 2013
PCI compliance standards updated to support customer security
The PCI Data Security Standard was recently updated with new regulations to support virtualization in data centers that store customer information.
According to Hemma Prafullchandra, chief technology officer of HyTrust, the new standards deal explicitly with issues of virtualization, clarifying confusion that existed in previous versions of the regulatory system, eWeek reports. Previous rules required organizations to use only one primary function per server. As a result, web servers, database servers and DNS systems had to each have their own system for credit card applications.
Prafullchandra said the system made it difficult to regulate security standards for customer data stored on virtualized servers. In such an environment, many data servers could not be virtualized to hold multiple systems because the regulations were unclear in such an environment.
The upgrade comes as data center virtualization becomes a standard practice. This meant that many organizations experienced difficulties when storing customer information on their servers.
With the new PCI DSS standard, virtualized servers can contain multiple systems and still have only one primary function on the device. However, this is only allowed if the golden image used to create each virtual server contains the primary function. Subsequently, a virtual web server and a virtual database server can run simultaneously on a physical machine. However, the same two devices can not be deployed simultaneously on one virtual device.
With the new standard clarified, companies can now move forward to virtualize their data centers and more efficiently store customer data. As businesses begin to move their storage systems onto the cloud, and subsequently into virtual servers, it is important that data centers are properly equipped to protect customer information. The lack of adequate regulations in the industry had been hampering growth, preventing businesses from updating their IT infrastructure.
According to the Register, the new standard is designed to make it easier for small businesses to adopt the industry's best practices. The system is designed to rely on a risk-based security system, and does not focus heavily on mandatory policies. Instead, the PCI DSS 2.0 standard gives companies best practice guidelines, providing a baseline for successful security protocols.
By creating a firm baseline, but not strictly demanding even higher standards of security, the PCI DSS 2.0 standard allows small businesses to choose a security solution they can manage and afford, while still remaining competitive with larger organizations.
