I've made no secret of my displeasure with the PCI Security Standards Council's lack of initiative when it comes to addressing the challenges and issues associated with virtualization and PCI compliance*.
My last post on the topic brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.
I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:
Thank you for contacting the PCI Security Standards Council. At this
time, there is currently no Virtualization SIG. The current SIGs are
Pre-Authorization and Wireless.
Please let us know if you are interested in either of those groups.
The PCI Security Standards Council
From: Christofer Hoff [mailto:firstname.lastname@example.org]
Sent: Wednesday, October 29, 2008 12:58 PM
To: PCI Participation
Subject: Participation in the PCI DSS Virtualization SIG?
How does one get involved in the PCI DSS Virtualization SIG?
The follow-on email to that said there were no firm plans to form a virtualization SIG. <SIGh>
So assuming that was the carrot approach, I'm happy to see that VMware has taken the route that only money, influence and business necessity can bring: the virtualization vendor 'stick.' To wit (and a head-nod to David Marshall:)
As a participating organization, VMware will now have access to the latest payment card security standards from the council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organizations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents a significant aspect of an entity’s protection against data criminals. By joining as a participating organization, VMware is adding its voice to the process.
“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, general manager of the PCI Security Standards Council. “By participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal.”
Let's see if this leads to the formation of a virtualization SIG or at least a timetable for when the DSS will be updated with virtualization-specific guidelines. I'd like to see other virtualization vendors also become participating organizations in the PCI SSC.
* Here are a couple of my other posts on PCI compliance and virtualization:
- All Your Virtualized PCI Compliance Are Belong To Us
- Risky Business -- The Next Audit Cycle: Bellweather Test for Critical Production Virtualized Infrastructure