People have asked if Virtual Servers can be used in a PCI DSS compliant environment or if they violate requirement 2.2.1 which says, “Implement only one primary function per server”.  The answer is that virtual servers, virtual clusters, and even cloud computing are perfectly acceptable within the confines of PCI DSS compliance as long as they are properly configured.  The operative question when discussing the use of any technology within a PCI DSS compliant environment is always “Yes, but is it properly configured to prevent abuse?”

Hoff and Siebert both posted this question here and here.  People may think that <insert latest technology here> will somehow prevent a company from being PCI DSS compliant, when in reality the compliance program is built around protecting cardholder data.  That technology you want to implement is probably fine as long as it doesn’t put cardholder data at risk.  But people focus in on that one requirement and then everything falls apart.

PCI DSS Requirement 2.2.1 is like the ‘force’ in Star Wars - it can be used for good or for evil.  Unfortunately, it is the single most abused requirement in the standard.  Some people, using it for evil, go as far as to say that DNS and WINS cannot reside on the same server.  This requirement is meant for situations when companies try to pile every service imaginable onto one computer, causing a situation that actually puts cardholder data at risk.  For example, if a retail store manager uses the back office PC that aggregates their credit card transactions as their personal workstation for browsing the Internet.  This is a unsafe practice and violates several PCI DSS requirements.

Virtualization is an emerging technology that enables companies to securely leverage one physical server to run multiple virtual systems.  This is beneficial in areas with limited physical space.  If a company can run four virtual systems and only use the physical space of one server they can reduce the cost of housing and maintaining excessive hardware.

Additionally, virtualization provides a number of administrative benefits such as centralized data storage and security, centralized configuration and patch management, and a number of other processes.  Companies can benefit from using virtualized systems but they must also consider how these systems segment access from one to the next.

Just as with PCI DSS Requirement 2.4 (shared hosting environment) and the question of what defines “adequate segmentation” one must examine the security systems that separate one virtual system from another.  Any form of segmentation, virtualization, or shared hosting environment is acceptable under PCI DSS as long as it prevents one set of systems or people from negatively impacting the security of other systems or people.  The delineation point for what defines “adequate” virtualization is any system that can properly prevent one virtual system from negatively impacting the security of cardholder data on another virtual system.  It is the responsibility of the implementor to verify that such controls are in place.

Virtualization will continue to grow in popularity and, properly configured, can be used to adhere to PCI DSS compliance.  The technology itself is not often the culprit of non-compliance, instead it is how the technology is implemented or installed that can cause both security and regulatory compliance mishaps.

Popularity: 28% [?]

If you didn’t receive a copy of The Aegis newsletter for May then you may not be subscribed.  Topics discussed were:

• The Growth of Mobile Payments
• Virtual Servers and PCI DSS Compliance
• Visa’s new OpRegs
• QSA Fact and Fiction
• Industry Events and Happenings

Popularity: 22% [?]

Today the 500th member joined the PCI Forum where people from across the industry and around the globe meet to discuss issues related to PCI compliance.

The lucky 500th person was a merchant who we added to the Merchant Only area.  This is a private forum only accessible by vetted merchants.  While most merchants choose to post their questions in the public area, there are some who want more discretion.

As always, we have our email address and phone number listed on this website.  I don’t know many other places where you can call an industry expert and talk to a live person.  I personally field calls from merchants, service providers, and security people - some calling as far away as France and Hong Kong!

Popularity: 30% [?]

I hear through the grapevine that Baysec is this Wednesday evening at 19:00 at the usual spot, Pete’s Tavern.  Why don’t we have it at Zeitgeist, where it used to be held?  I love that place.

(Martin, I know you gave up on me for missing last time, but Jennifer reminded me so I’m going to crash the event.)

Popularity: 19% [?]

I’ve posted before but I want to remind everyone on the Security Bloggers Network (via FeedBurner) that there is a Facebook Security Bloggers group!

Also, for those interested, there is a PCI DSS Facebook group as well.

Ok, ok, there’s also an InfraGard Facebook group. And with that I’ll stop.

Popularity: 19% [?]

Apologies to all our readers in Europe and Asia.  We had some downtime due to a bad NFS file handler on the web server.  This is pretty rare and was fixed after a few hours.  The website is back up and running.  Otherwise I would have had information to you sooner about the newly released SAQ.

Popularity: 19% [?]

Today the 400th member joined the Aegenis PCI Discussion Forum.  This is quickly becoming the #1 online forum for quality PCI discussions and information.  Every day there are hundreds of hits from action members and between 5-15 active threads.

We have posted “hot” threads to the blog before, but just remember that what you see here is just a fraction of the collaborative conversation and  information exchange that goes on in the Forum.

Popularity: 16% [?]

Today I checked the blog stats page and it seems we just broke the 100,000 views mark.  This is the number of people who love this since since we moved from the Wordpress.com site.  Readership is growing in both the blog and the forum.

I’m happy to extend a great thanks to all the people who have helped post answers to the blog/forum.  These people and their answers are what help people with their compliance efforts.

Popularity: 15% [?]

If you did not read it, check out the December Aegis newsletter. You can also get this via email here.

Topics included:

• Addition of regulatory compliance forum - so far there has been discussions on Minnesota Plastic Card Security Act, FACTA, and others.
• Vendor Wishlist for 2008
• Payment Application Data Security Standard (PABP) deadlines
• List of upcoming industry events

January’s issue included:

• New regulatory laws for 2008
• Framing the compliance conversation
• Vulnerability scanning as a brick in the framework
• Addition of Shelley Johnson (bio) joined Aegenis as VP of Training and Instructional Design
• List of upcoming industry events

Popularity: 14% [?]

We have updated the forum software, which we do regularly, to prevent attacks and be good security people like we should. We do this periodically with no visible difference, but like to think it’s a nice reminder of PCI DSS requirement 6.1.

Here are a list of the forums top-post conversations:

• Hashing vs Encryption
• CVV2 and voice recordings
• Application layer firewall with other conversations here and here

There is lots of clarification on issues that I have not seen anywhere else.  In fact, this forum is quickly becoming the largest and de facto place place to discuss the payment card industry.  I remember vividly at the PCI SSC Community Meeting in Toronto when participants kept referencing it.

Popularity: 21% [?]