PCI DSS 2.0 Compliant Clouds Reference Architecture Updated By Industry Leaders

HyTrust, Inc., the leader in access control and policy management for virtualization infrastructure, today announced the publication of a newly updated reference architecture for Payment Card Industry Data Security Standard (PCI DSS) 2.0 compliant clouds. This based upon new requirements that must be met by a January 1, 2012 deadline.

Industry leaders HyTrust, VMware, Savvis, Trend Micro, Cisco and Coalfire – all core members of the PCI DSS Virtualization Special Interest Group (vSIG), and following months of collaboration – have published a white paper that outlines the new configuration guidelines and provides a comprehensive “best practices” reference architecture. Implemented and tested in a Savvis advanced-technology lab, the reference architecture is optimized to address the unique challenges of virtualization and cloud environments.

The report alleviates the burden of the impending PCI DSS 2.0 deadline on organizations facing these requirements—primarily financial services, retailers, payment processors and acquirers, which leverage virtualization technology for their cardholder data environments (CDE)—and enable them to move forward quickly with their compliance strategies.

“The need for greater security is clear,” said Eric Chiu, president and co-founder, HyTrust. “PCI DSS 2.0 allows ‘system components’ to be physical or virtual. That significant shift in posture enables more organizations to benefit from the use of virtualization. However, it simultaneously adds complexity and the need for an entirely new layer of security. Thus, the standard requires organizations to do even more to secure their environments and mitigate the risks.”

Kennet Westby, CEO of Coalfire, a leading Qualified Security Assessor (QSA) organization, said, “As the industry increases the adoption of virtualization, the next logical step is to move to a private cloud environment. With the deadline for PCI DSS 2.0 compliance rapidly approaching, organizations that have implemented virtual infrastructures in their cardholder data environments must prove they have adequate controls in place.”

Westby continued: “As we stated last year, PCI DSS represents a minimum baseline of security controls that are being adopted not only in payment environments, but also in other industry verticals such as healthcare, banking, local, state and Federal government. The update of this reference architecture addresses some of the common challenges organizations face, and how leading providers such as HyTrust, VMware, Savvis, Trend Micro and Cisco continue to develop solutions to tackle these challenges head-on.”

Chiu agreed, “HyTrust continues to experience strong demand, especially in the financial, retail and government sectors, simply because organizations want to leverage virtualization in parts of their infrastructure that are subject to compliance.” He continued, “We expect to see this trend sustained well after this January PCI DSS 2.0 deadline, as more and more organizations realize that PCI compliance and virtualization are compatible.”