AnsweredAssumed Answered

PCI + Credit Card Gateway + Virtualization

Question asked by andrew on Dec 11, 2015
Latest reply on Mar 24, 2016 by andrew

Wondering if anyone out there has addressed PCI v3 with the Pharos Credit Card Gateway, particularly with servers in a clustered virtual environment (the hosts are clustered, not the guests).

Where I'm coming from:

We have implement this, but are now being told that we are going to have to move the servers off of our VMWare cluster into physical environment in order to be PCI v3 compliant. We are told this by our internal Information Privacy Security Office, and the PCI QSA they have hired agrees. The facts as we see them boil down a disagreement over whether the Gateway constitutes a "redirect server". We argue it does not, as there is no "redirect" as defined by the IETF. It is pretty straight-forward a link, the same as any other link a person would click on the Internet. "They" argue it is a redirect, and therefore as of PCI V3 "within scope", and therefore subject to the same rigors as we would face if we actually stored payment card data.

 

What I want to find:
I am having a hard time believing everyone out there who has invested in the virtual environment has migrated back to physical in order to meet PCI v3 requirements and would love to find someone who has fought that fight who could point me toward a strategy, especially one with documentable precedent. So far, the documents I have found issued by PCI to address virtualization date from 2011. https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf Though I have only begun to review it, I assume its information is out of date at best, and misinterpreted by our IPSO and their thugs, er, Qualified Security Assessors. VMWare has worked very hard to ensure their product does not fall out of favor among vendors needing PCI compliance.

I am also having a hard time believing Pharos will continue to sell the gateway if the Payment Card Industry really meant for this to be handled this way, and, again, would love to find documentable refute for the idea that they did. In addition to the cost of the Gateway, now I'm expected to re-invest in at least 2 physical servers (I have none in my environment), re-invest in a SQL-capable backup solution, repurchase my Operating Systems; this is going to cost me somewhere in the neighborhood of $15,000 at a minimum. Plus the cost of the Gateway purchase (well, technically, we already bought that, but now it's going to be rendered useless).

 

I intend to try to hit up VMWare on this as well, but I am hoping for returns from the Pharos world, too.

Thank you for reading.

Outcomes