Data Access Issues for Virtual Networks Handling PCI Information

VirtualizationAny business that deals heavily in data such as credit card account numbers may need to have its physical and virtual networks assessed for compliance with the Payment Card Industry Data Security Standard.  This standard, currently known as DSS 2.0, presents special challenges when it comes to virtual environments. 

DSS 2.0 Requirement 7

This requirement instructs enterprises to grant access to payment card data only to those individuals whose workflow tasks require them to have such access.  This is known as Role Based Access Control (RBAC) and is intended to lower the chance of an unauthorized disclosure of payment card information. 

Requirement 7, however, goes beyond the mere allocation of access privileges.  The computing system must also be able to document all access.  This can mean something different for physical and virtual systems since the two are not equivalent in every respect.  VMs often exist in a ‘world of their own’ when it comes to access controls and require different solutions than do physical machines.  Merely transferring the familiar Windows terms of users, groups, and permissions is not a sufficient control approach for virtual machines.

The software engineers who design virtualization suites such as VMware vCenter are well aware of this issue; these programs operate with their own set of access controls to meet RBAC needs and provide audit trails that can help management demonstrate that a default-deny policy is in place as required by DSS regulations.

Compliance with DSS 2.0 is a serious issue that enterprises often choose to address through a project work approach to specialized IT services.


Whitepaper: 6 Do’s & Dont’s for Choosing the Right IT Service Provider