Friday, January 21, 2011
Companies increasingly striving for PCI compliance
For years, the PCI Data Security Standards have loomed over retail stores, banks, financial institutions and any business that performs monetary transactions. The standards set forth regulatory compliance rules that must be followed to ensure safe transmission, processing and storage of payment-card data.
Recently, Cisco Systems completed a survey that found businesses are increasingly appreciating the advantages of striving for PCI compliance, and are investing heavily to upgrade their data centers to prepare for audits.
Overall, the survey found 85 percent of respondents are confident their current networking and data center establishments would be capable of passing a PCI audit if it took place immediately. Furthermore, 70 percent said they are more secure now than they would be if the PCI DSS did not exist. To achieve PCI compliance, the survey found 60 percent of respondents spent between $100,000 and $1 million in the past five years.
The retail and financial services industries are most confident in their PCI readiness, the survey found, as 92 percent of respondents from both industries said they would pass a PCI DSS audit. Conversely, government-related organizations struggled, with 17 percent of respondents saying they would fail an audit. Some of this confidence may stem from the report's conclusion that retail and finance respondents felt the most prepared for the newly active PCI DSS 2.0.
Overall, 57 percent of IT decision-makers surveyed said they are confident in their virtual server systems being up to par with PCI standards. Furthermore, 70 percent of financial organizations said their virtual servers are ready for a PCI audit. However, 36 percent of respondents did say that improvements to firewalls, IPS systems and other security applications are necessary to adapt to the growing trend toward virtualization.
The new PCI DSS 2.0 debuted last fall, and became active with the start of 2011. The standards' primary revisions have to do with addressing the increasing use of virtualization technology in data centers containing payment card information, something that was not addressed in previous standards, making it unclear if PCI-related data center could virtualize.
Essentially, the new standard said virtualization is acceptable, but only under specific conditions. Each virtual machine has to be clearly separate and distinct from other VMs on the same physical server. Furthermore, the image that acts as the base of the virtual machine must be strictly compliant to all PCI DSS standards.