By Brian Albright, Business Solutions magazine.
VARs can guide merchants through new PCI guidance for virtual environments, mobile solutions.
Earlier this year, new virtualization guidelines were issued for the Payment Card Industry (PCI) Data Security Standard (DSS) in response to the increased use of hosted or cloud-based payment and processing solutions. The guidelines clear up some confusion in the industry as to what the scope of compliance is relative to virtual environments.
As part of the PCI DSS 2.0 update, the virtualization guidelines advise that any virtualization technologies used for cardholder data should comply with existing PCI DSS mandates. Virtual machines (VMs) can handle credit card data as long as each VM keeps that data separate from the rest of the IT infrastructure. However, virtual environments introduce new risks, particularly as many smaller retailers are not fully PCI-compliant when it comes to their internal systems.
Ongoing questions about how to successfully utilize compliant solutions in a virtual environment, as well as the need for further education of small and midsize merchants, means that resellers will have plenty of opportunities to provide consulting services. "The current self-assessment audit process is far too complex for a merchant of this size," says Sean Kramer, president and CEO of Element Payment Services.
Most merchant security threats come from outside sources that are trying to obtain cardholder data. One reason that many companies have turned to hosted or cloud-based payment solutions is that they are trying to find ways to minimize these threats (and their compliance requirements) by taking cardholder data off their on-premise systems.
The current PCI guidance on virtualization is really a best practices guide for those using this technology in a cardholder data environment and is not yet officially incorporated into the DSS. There are still many risks for both merchants and providers utilizing cloud solutions. Each client has varying needs, and resellers should be mindful of these differences when offering a shared, virtual environment to multiple clients.