By: Mark Gaydos
PCI compliance, virtualization and security all can work together just like a Dairy Queen Blizzard if a company takes the right steps….. It’s smooth and tasty (for your business)! I was reading Chris Hoff’s and David Taylor’s respective posts on PCI and virtualization. Although I am in violent agreement with each of them that retail companies should not refrain from implementing virtualization because of PCI, I differ slightly on my reasoning why. And that reasoning is simply the technology already exists for companies to have virtualization, security and compliance, whether it is PCI, SOX, FISMA, etc.The idea that a company is waiting to implement virtualization based on what they see happening around the PCI policies is at best limiting and at worst debilitating. When should external policies drive the correct business decisions for a company? The business should find a way to incorporate policies while making the best decisions for the company today. One never knows what future policies will say but one has got to compete today!
Not only does virtualization have significant operational and financial benefits for a company but the technology already exists today to ensure virtualization is PCI compliant – as much as a technology can be compliant. Software vendors like Tripwire who have the ability to help companies with their PCI compliance can monitor not just the VM workloads but also the hypervisors. And once you have the ability to monitor the actual systems in use, you have the ability to report which is much of the PCI battle.
The PCI virtualization security milkshake has already been made and is ready to drink. It’s just a question of whether companies get in before it melts.