When The Carrot Doesn't Work, Try a Stick: VMware Joins PCI SSC...

I've made no secret of my displeasure with the PCI Security Standards Council's lack of initiative when it comes to addressing the challenges and issues associated with virtualization and PCI compliance*. 

My last post on the topic  brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.

I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:

On Oct 29, 2008, at 1:24 PM, PCI Participation wrote:

Hello Christofer,

Thank you for contacting the PCI Security Standards Council. At this
time, there is currently no Virtualization SIG. The current SIGs are
Pre-Authorization and Wireless.

Please let us know if you are interested in either of those groups.

Regards,
The PCI Security Standards Council

-----Original Message-----
From: Christofer Hoff [mailto:choff@packetfilter.com]
Sent: Wednesday, October 29, 2008 12:58 PM
To: PCI Participation
Subject: Participation in the PCI DSS Virtualization SIG?

How does one get involved in the PCI DSS Virtualization SIG?

Thanks,

Christofer Hoff

The follow-on email to that said there were no firm plans to form a virtualization SIG. <SIGh>

So assuming that was the carrot approach, I'm happy to see that VMware has taken the route that only money, influence and business necessity can bring: the virtualization vendor 'stick.'  To wit (and a head-nod to David Marshall:)

VMware is Joining PCI Security Standards Council as Participating Organization

VMware, the global leader in virtualization solutions from the desktop to the datacenter, announced today that it is joining the PCI Security Standards Council. As a participating organization, VMware will work with the council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. This will help those VMware customers in the retail industry who are required to meet these standards to remain compliant while leveraging VMware virtualization. VMware has also launched the VMware Compliance Center Web site, an initiative to help educate merchants and auditors about how to achieve, maintain and demonstrate compliance in virtual environments to meet a number of industry standards, including the PCI DSS.

As a participating organization, VMware will now have access to the latest payment card security standards from the council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organizations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents a significant aspect of an entity’s protection against data criminals. By joining as a participating organization, VMware is adding its voice to the process.

“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, general manager of the PCI Security Standards Council. “By participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal.”

Let's see if this leads to the formation of a virtualization SIG or at least a timetable for when the DSS will be updated with virtualization-specific guidelines.   I'd like to see other virtualization vendors also become participating organizations in the PCI SSC.

/Hoff

* Here are a couple of my other posts on PCI compliance and virtualization:

• All Your Virtualized PCI Compliance Are Belong To Us
• Risky Business -- The Next Audit Cycle: Bellweather Test for Critical Production Virtualized Infrastructure