|
|
Of the 12 new changes to the standards, the best part of the new PCI DSS rules is a change to rule 2.2.1, which specifically allows for virtualization. Such as using a VPS running Linux with Xen.
|
|
ust when you thought you have fully understood all the PCI compliance rules, the all new PCI DSS 2.0 will be released at the end of this month on 9/30. This is a major version change, going from 1.x to 2.x. Upon release companies must ensure they are in compliance with the new rules. In order to ensure time to comply a number of the new rules / changed rules will say something like "must be implemented by 1/1/11".
Of the 12 new changes to the standards, the best part of the new PCI DSS rules is a change to rule 2.2.1, which specifically allows for virtualization. Such as using a VPS running Linux with Xen. Instead of having just 1 function per server, they now specify you can have multiple virtual servers on one physical server, each performing separate functions. Prior to this the Payment Card Industry, didn't specifically allow or disallow the use of VPS, and their rule on it, was open to interpretation, and your security team would need to make a judgement call if they thought you will still be in compliance by using Xen, or any other VPS. You will still need at least 2 physical servers, as your database server must be behind a hardware firewall, but you can have web on 1 VPS, email on another, DNS on a third, etc.
Some people argue that using a VPS is less secure, because you risk having the main server hacked, and then in turn all the VPSs running on it are compromised. However SSH is probably the only port you would have open on the main server, plus that should have an ACL denying all traffic except from one or a couple IPs, it would really be very very rare if were to happen, and it seems like the PCI DSS Council realized that too. Full Story |
