PCI DSS standard has not cleared all of the confusion
The new payment card industry data security standard was written to clarify confusion that was created when data centers began turning their physical servers into virtual devices. The prior PCI DSS standard had not clarified whether virtual servers were allowable under the data security protocol, and many companies were confused.
The PCI DSS 2.0 standard dictates that virtual servers are allowable under the security restrictions, but virtual machines on one device need to have a similar golden image and hypervisor to qualify as secure separate entities. Virtual machines also have to evidence significant separation between one another, ensuring data will not be passed between clients. This essentially means that credit card and other payment card industry information can be stored in virtual environments, but still leaves a few questions regarding the reach and limitations of the virtualized server under PCI DSS 2.0, TechTarget reports.
Tim Connors, AT&T's director of cloud service, told the news source the new standard still leaves many grey areas up to the interpretation of auditors. For example, Connors wondered how data centers should deal with virtual machines linked to a server that has been designed with a hypervisor to meet the standards of a different DSS security standard. He was also concerned with the standard's ability to address whether or not web, application and database servers need to be separated. Dealing with trunking network interfaces at the physical server level was also, according to Connors, a grey area in the PCI DSS 2.0 standard.
According to TechTarget, auditing policies prior to the new PCI DSS 2.0 standard were widely varied. For all purposes, the acceptance of virtualization depended almost entirely on getting a tech-savvy auditor that understood how virtualization works. Wes Baker, an infrastructure engineer for a retail company, told the news source audit processes would still vary based on the auditor, even though the new standard does allow some forms of virtualization.
"It all comes down to the interpretation of the person doing the auditing and what their knowledge is. It's extremely important to maintain documentation and diagrams of your physical infrastructure, logical virtual infrastructure, firewall configurations and firewall rules," Baker told TechTarget.
Roger Bearpark, head of IT for the London Borough of Hillingdon, told the news source that audit processes in the community's large data center have centered on educating auditors on what virtualization means, as most are still focused on the physical overlay and what they can tangibly see.
According to a recent report by LogRythm and Redshift Research, the new PCI DSS 2.0 standard is expected to help companies achieve the security standards, despite some confusion about their limitations. The survey found most businesses in the UK had not adopted the previous PCI DSS standard because the regulations were unclear.