At the end of last month, the Payment Card Industry Data Security Standard was updated to version 2.0, verifying that payment card industry information could be stored in virtual environments. However, issues such as trunking network interfaces on a physical host and having multiple DSS-based systems on one server are still unclear, Tim Connors, AT&T's director of cloud service, told SearchServerVirtualization.com.
Using a hosted server environment is popular in the payment card industry, as companies store a considerable amount of customer data on servers. However, implementing virtualization creates a complex environment in which multiple devices exist simultaneously on one physical server. The PCI DSS has tried to clarify whether or not a virtual server constitutes a separate machine, but the standard is still somewhat confusing.
At its core, the PCI DSS standard dictates that virtual servers on one physical machine can be considered separate devices if the hypervisor and golden image used to create the virtual environment are similar in design. The system, however, lacks clarity. Infrastructure engineer Wes Baker, who works for a retail organization, told SearchServerVirtualization.com that passing an audit to meet PCI DSS standards depends more on choosing a virtualization-savvy auditor than meeting specific requirements.
The essential problem in the PCI Standard is that it only addresses virtualization and does not truly engage with the technology, SearchServerVirtualization.com reports. As virtualization continues to grow in hosted environments, the PCI DSS is not equipped to handle the technology. The current standard will not be mandatory until 2012, and it could be out of date by then.