VMware Takes Virtualization Discussions into Realm of PCI Compliance

VMware has joined the PCI Security Standards Council in a bid to get language dealing specifically with virtualization added to the Payment Card Industry Data Security Standard. The lack of guidance on the issue has been a challenge for retailers as adoption of virtual environments has grown, according to VMware.

The honeymoon may soon be over for any retailers that have not extended attention to the Payment Card Industry Data Security Standard to their virtual environments.

VMware announced today it has joined the PCI Security Standards Council in a bid to include specifics related to virtualization into the Payment Card Industry Data Security Standard (PCI DSS), as well as spread awareness of how the technology can help enhance security and compliance.

It's no secret that virtualization is spreading among businesses. Despite its growth, however, there is still nothing in the PCI standard that specifically mentions virtual hosts and networks. On its own, VMware has sought to bridge that gap by disseminating information through its VMware Compliance Center via whitepapers and podcasts, which can be downloaded here.

The lack of guidance in the regulation itself has led to confusion among merchants, explained Shekar Ayyar, vice president of infrastructure alliances at VMware.

"When it comes to compliance-related domains, PCI being one of them, it is still somewhat of a...gray area where there's not a whole lot of understanding of what that is, whether it's from the standards council standpoint or whether it is from the auditor's standpoint," he said. "What we are looking to do is really...articulate more clearly what first of all virtualization as an architecture and an infrastructure can enable and how compliance auditors as well as rule-makers need to be thinking about that."

He added that technologies VMware is working on can have a sharp influence on compliance and enforcement, such as the VMsafe API.

"So that's kind of the driving force behind doing this...their version 1.2 of the [regulation] for example still doesn't really talk about virtualization, so the hope is that through closer engagement and by working with them as part of the council we will be able to bring more awareness to that as we go forward," Ayyar said.

As a member of the council, VMware will have access to the latest payment card security standards from the council and be able to provide feedback.

"The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data," said Bob Russo, general manager of the PCI Security Standards Council, in a statement. "By participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal."