Anyone who has ever been through the process of gaining PCI compliance for an eCommerce site can certainly understand the challenges and vagaries of successfully navigating the compliance process. Those who haven’t been through this, well, let me just say that the process is complex, subject to individual interpretation of PCI requirements and always takes longer to complete than estimated.

The process was much simpler when technology infrastructure was in-house, or at least in a dedicated cage in a third-party facility, and companies had complete control over what was running on exactly what servers and how those servers were connected to the outside world. In order to be competitive, companies began to switch to virtual machine based architectures which allowed a tremendous amount of flexibility but had the unfortunate side-effect of making PCI compliance even more difficult to attain, especially when it comes to knowing exactly where card holder data is stored.

In the current PCI spec (v1.2), there are certain challenges around using VMs but these are largely minimized if the VM infrastructure is completely owned and managed by the party seeking compliance. In today’s world of on-demand computing, particularly for eCommerce sites that have short-duration traffic peaks, using cloud services such as Amazon EC2 is an efficient and cost-effective solution. Moving an application that processes card-holder data from a privately managed environment to a third-party cloud is fraught with PCI issues.

There may be some good news on the way from the PCI Security Standards Council as they are working on version 2.0 of the specification. Early documents indicate that discussions are taking place about how best to accommodate virtualization in environments containing sensitive customer data. In particular, there are two key changes being proposed to the specification that related directly to the use of VMs:

  • Expanded definition of system components to include virtual components
  • Updated requirement to clarify intent of “one primary function per server” and use of virtualization

The new PCI DSS standard becomes effective on January 1, 2011. There is sure to be a flurry of activity in the PCI space as companies go through the compliance process and re-align architectures to take better advantage of server virtualization.  Here’s hoping that the PCI folks have thought this out very well and that proper use of VMs can serve two purposes:  Continued security for card holders/issuers and more efficient eCommerce infrastructures for companies that serve dynamic markets.