• Replies 4 replies
  • Subscribers 339 subscribers
  • Views 11 views
  • Users 0 members are here
Related

Virtualised Production / Test Environment and PCI Compliance

Simon Davidson
$organization

Hi,

Were slowly moving through PCI compliance, and I've come across section 6.4.1

  • Seperate development / test and production environments

The PCI Guidance documents guide for virtualisation states that "The implementation of a virtualised environment must meet the the intent of all requirements, such that the virtualised systems can effectively be regarded as seperate hardware..."

I thought we had pretty much done this, as our Test database server, seat server, credit card server etc are all implement as completely seperate VM's.  However I recently read an article on TechTarget that gave me some worry.

  •  Another potential problem is that you cannot share production environments with test and development environments. Virtualization makes it easy to have test and dev VMs running on the same hosts with the same storage devices as production VMs, but PCI DSS 2.0 does not allow that.

This seems to indicate that I need a seperate SAN to host my test environment or partition it off some how.  As anyone else faced this problem who has virtualised their infrastructure and has anyone had any advice from a QSA?

Thanks

Parents Reply Children
  • $organization in reply to MJ Bavaret

    I was hoping we could partition the storage array and host the test environment seperately.  But it also raises the question, do I have to implement a seperate VLAN to achieve the "adequate seperation" component.  And then you could take it a step further, do I need to host it on its own AD forest with its own Domain controller that has trust setup between the main forest.

    I'm hoping that example is taking it to the very extreme, and trying to find out what other people have implemented.....