baforestal
Contributor
Contributor

Payment Card Industry (PCI) server virtualization

Good Day,

Has anyone used VMWare to host PCI servers/applications and actually passed the Report On Compliance?

Thanks,

Bruce

0 Kudos
3 Replies
McKeay
Contributor
Contributor

Bruce,

You might try asking the same question to the PCI Standards mailing list. It's a Yahoo group and is very low traffic, but I know there are a number of auditors on the list who might be able to answer your question.

I had asked a similar question some time ago of Michael Dahn of the PCI Compliance Demystified site (http://pcianswers.com/) and I think he said there were no problems with virtualization, but it has to go through the same sort of scrutiny any system does. I don't know if he'd actually audited any systems based on VMWare though.

Martin McKeay

Product Evangelist, Cobia

http://cobia.stillsecure.com/mckeay

0 Kudos
snikt228
Contributor
Contributor

We've had a PCI audit done in Jan 06. We didn't pass the audit but it wasn't related to Vmware, they didn't bring up any issues related to that.

We're having another audit done in late August as well.

0 Kudos
esiebert7625
Immortal
Immortal

We're fully PCI compliant and just passed an audit using the new tougher specification that went into effect this year. Our Vmware environment seemed to make no difference, PCI has no specific items for virtualized servers. If you treat your VM's as you would physical servers the same security rules apply. We've also passed several SOX audits.

You might give this a read.

Surviving Regulatory Compliance in the Virtual Infrastructure - http://download3.vmware.com/vmworld/2006/adc9521.pdf

0 Kudos