One of the questions I have been hearing more and more from customers is can my web site / web application be PCI compliant if I host it in a virtual environment. Now before you run out and say yes or no to this, there are a few things you should consider:
1. Don’t assume by virtual we are talking VMware or even Xen or even KVN. There are plenty of service providers who offer virtual hosting on platforms (if that is the right word) based on C-panel and things like Virtuozzo. In some of these cases there is no hypervisor. The virtualization takes place at the OS itself.
2. Most hosted sites or applications have little to no control over the physical configuration and in fact don’t have much control over VM wide configurations either.
3. The hosting or service provider almost always has root or similar access to the customers files and data.
All of the above notwithstanding, I have seen cases where virtualized environments are PCI compliant. Often this involves moving all credit card data and processing out of scope.
Am interested in your experience. How are you making your virtualized environment PCI compliant?
{ 3 trackbacks }