When faced with bringing virtualization into their Payment Card Industry (PCI) systems, many companies have learned they need help to ensure that they remain PCI-compliant once virtualization is part of the mix. Catbird Networks has stepped into the breach with its PCI Solution Guide, an addendum to a similar guide from VMware.
"This is the first time that there's been auditor-approved, actionable guidance for what you need to do to remain compliant," says Tamar Newberger, VP of Catbird, a virtualization security management vendor. "This is a very hot issue. People needed direction on how to implement a PCI-compliant, virtualized data center. With this you will pass your PCI compliance audit."
With the rise of virtualization, companies using PCI learned that adding virtualization was possible, but new procedures would be needed to maintain compliance.
"This has been a major [problem] for people who wanted to use virtualization or a private cloud for PCI," in terms of putting it all together and meeting the requirements, Newberger explains. "When you're virtualizing, you have mixed workloads, maybe with some trusted data and some non-trusted data at the same time. You don't have individual data silos anymore." Instead, you have shared workloads, which are in conflict with PCI compliance efforts.
"That makes things more complicated for a PCI auditor, but it's completely doable if you know how to do it," says Newberger. "That's where this guide can help."
The line-by-line guide, which has been validated by a PCI Qualified Security Assessor (QSA), has been in the works for more than six months.
"Customers are becoming ready to virtualize sensitive systems, such as PCI payment processing," Parag Patel, VP of Global Strategic Alliances at VMware, said in a statement. ""VMware is committed to helping regulated organizations move to a private cloud model by providing in-depth and validated guidance to the compliance community. Partners such as Catbird are important for this effort, integrating additional controls for segmentation, auditing, and automated evidence of control, in order to offer a complete solution to customers who are subject to PCI compliance."