When The Carrot Doesn’t Work, Try a Stick: VMware Joins PCI SSC…
I've made no secret of my displeasure with the PCI Security Standards Council's lack of initiative when it comes to addressing the challenges and issues associated with virtualization and PCI compliance*.
My last post on the topic brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.
I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:
Thank you for contacting the PCI Security Standards Council. At this
time, there is currently no Virtualization SIG. The current SIGs are
Pre-Authorization and Wireless.
Please let us know if you are interested in either of those groups.
Regards,
The PCI Security Standards Council
—–Original Message—–
From: Christofer Hoff [mailto:choff@packetfilter.com]
Sent: Wednesday, October 29, 2008 12:58 PM
To: PCI Participation
Subject: Participation in the PCI DSS Virtualization SIG?
How does one get involved in the PCI DSS Virtualization SIG?
Thanks,
Christofer Hoff
The follow-on email to that said there were no firm plans to form a virtualization SIG. <SIGh>
So assuming that was the carrot approach, I'm happy to see that VMware has taken the route that only money, influence and business necessity can bring: the virtualization vendor 'stick.' To wit (and a head-nod to David Marshallπ
VMware, the global leader in virtualization solutions from the
desktop to the datacenter, announced today that it is joining the PCI
Security Standards Council. As a participating organization, VMware
will work with the council to evolve the PCI Data Security Standard
(DSS) and other payment card data protection standards. This will help
those VMware customers in the retail industry who are required to meet
these standards to remain compliant while leveraging VMware
virtualization. VMware has also launched the VMware Compliance Center Web site,
an initiative to help educate merchants and auditors about how to
achieve, maintain and demonstrate compliance in virtual environments to
meet a number of industry standards, including the PCI DSS.
As a participating organization, VMware will now have access to the
latest payment card security standards from the council, be able to
provide feedback on the standards and become part of a growing
community that now includes more than 500 organizations. In an era of
increasingly sophisticated attacks on systems, adhering to the PCI DSS
represents a significant aspect of an entityβs protection against data criminals. By joining as a participating organization, VMware is adding its voice to the process.
βThe PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,β said Bob Russo, general manager of the PCI Security Standards Council. βBy participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal.β
Let's see if this leads to the formation of a virtualization SIG or at least a timetable for when the DSS will be updated with virtualization-specific guidelines. I'd like to see other virtualization vendors also become participating organizations in the PCI SSC.
/Hoff
* Here are a couple of my other posts on PCI compliance and virtualization:
- All Your Virtualized PCI Compliance Are Belong To Us
- Risky Business — The Next Audit Cycle: Bellweather Test for Critical Production Virtualized Infrastructure
Hey Chris,
I'll be interested to see what there announcement leads to. Ironically I just wrote another PCI rant a few days before they made the announcement. http://servervirtualization.blogs.techtarget.com/…
Eric