Hi,
Were slowly moving through PCI compliance, and I've come across section 6.4.1
The PCI Guidance documents guide for virtualisation states that "The implementation of a virtualised environment must meet the the intent of all requirements, such that the virtualised systems can effectively be regarded as seperate hardware..."
I thought we had pretty much done this, as our Test database server, seat server, credit card server etc are all implement as completely seperate VM's. However I recently read an article on TechTarget that gave me some worry.
This seems to indicate that I need a seperate SAN to host my test environment or partition it off some how. As anyone else faced this problem who has virtualised their infrastructure and has anyone had any advice from a QSA?
Thanks
Hi Simon,
PCI Standards Security Council published a paper in June 2011 with much more details regarding virtualization. What specifically constitutes compliance is probably going to vary from organization to organization; however, it may be helpful to read this. https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf
Here is one quote that addresses SANs - this is on page 22:
Depending on the specific configuration and controls implemented, an entire SAN could potentially be in scope unless it is verified that all in-scope systems and data stores are isolated from all out-of-scope systems and data stores.
I don't know for certain, but I would assume what needs to be done is going to vary depending on the capabilities of the SAN itself and various interpretations of the PCI DSS standards.
Lastly, VMware has some useful links regarding PCI here: http://www.vmware.com/technical-resources/security/compliance/resources.html.
Thanks,David
Hi David,
Thanks for the information, hopefully I will get a chance to review the information today and come up with a solution.