Data Access Issues for Virtual Networks Handling PCI Information
Any business that deals heavily in data such as credit card account numbers may need to have its physical and virtual networks assessed for compliance with the Payment Card Industry Data Security Standard. This standard, currently known as DSS 2.0, presents special challenges when it comes to virtual environments.
DSS 2.0 Requirement 7
This requirement instructs enterprises to grant access to payment card data only to those individuals whose workflow tasks require them to have such access. This is known as Role Based Access Control (RBAC) and is intended to lower the chance of an unauthorized disclosure of payment card information.
The software engineers who design virtualization suites such as VMware vCenter are well aware of this issue; these programs operate with their own set of access controls to meet RBAC needs and provide audit trails that can help management demonstrate that a default-deny policy is in place as required by DSS regulations.
Compliance with DSS 2.0 is a serious issue that enterprises often choose to address through a project work approach to specialized IT services.