By Sue Zloth
Merchants who have been awaiting guidelines on how to process payment card data in a virtual environment, no longer need to wait. The Virtualization Special Interest Group(SIG) for the PCI Security Standards Council (SSC) has just released the documents.
So whether you are in a virtual or in a traditional environment, the guidance is now clear: You must still adhere to PCI DSS requirements and you can’t hold back on security efforts.
Bob Russo, general manager of the PCI SSC told InformationWeek, “If you’ve got to do them in the real world, you’ve got to do them in a virtualized world too.”
In a cardholder data environment, if virtualized technologies are used, PCI DSS requirements will apply as it would with technologies used in a traditional environment. Additionally, merchants are urged to understand the new risks associated with virtualization and address them accordingly.
Additionally, the guidance points out that there isn’t a one-size-fits-all method to configuring virtualized environments to meet PCI DSS requirements. Procedures will vary for each environment, according to how virtualization is used and implemented.
But merchants won’t have to start from scratch if they already store cardholder data in a virtualized environment. The guidance is a supplement to the requirements that merchants have been following and there are no new requirements.
This guidance is a part of an effort the Council to offer guidance on new technologies such as encryption, tokenization and virtualization. Merchants awaiting guidance on tokenization should expect to see guidance before the summer is over.
Write a Comment