PCI Compliance for Store Systems Made Easy
By Mark Weiner
Last month, the PCI Security Standards Council published its much-anticipated virtualization guidelines. This resource provides guidance for implementing PCI requirements in virtualized environments. While much of the media hype resides around the applicability of this guidance to trendy new technologies such as cloud computing, there is a hidden gem related to the use of virtualization to improve compliance in good, old-fashioned store systems.
PCI compliance for store systems is notoriously challenging. Traditional data security solutions for store environments typically required a "mini-data center" approach that involved multiple security devices and applications integrated in highly-customized configurations. These security devices are expensive to deploy and difficult to manage in a multi-site retail environment. Most stores do not maintain the skills to manage the operation of the devices and have little or no capability to provide effective ongoing operations required to meet audit requirements under the PCI standards.
For all of its security drawbacks, however, the retail environment often has two advantages in achieving PCI compliance:
1. Most store systems environments are virtually identical across retail chains, so investment to produce an integrated solution in one store can be leveraged across all of them with relative ease.
2. High-performance hardware is generally not required based on the generally low volume of transactions per store. With such low usage of hardware resources the environment is ideally suited for virtualization.
By blessing virtualization as a class of technology that can be leveraged to allow a single physical hardware device to provide multiple payment and security functions, the PCI council has given retailers a valuable to tool to reduce cost and create a wide variety of value added applications to benefit their operations.
At its core, virtualization technologies allow less hardware to perform more tasks, which in turn introduces the long-absent concept of Return on Investment (ROI) into the PCI lexicon. Elements of ROI associated with virtualization include:
• Consolidation of PCI security controls onto a single piece of hardware
• Introduction of entirely new virtualized applications to improve customer experience and increase sales.
• Lower costs for hardware, system integration and system maintenance.
Once an ROI is established, the ability to virtualize components of a PCI-compliance infrastructure means returns can be realized across vast numbers of stores. In short, virtualization allows retailers to have PCI with an ROI.
For example, virtualized security architectures currently incorporate an integrated suite of PCI environmental controls previously available only as individual products. When implemented across multiple remote stores, this has dramatically reduced the cost and complexity of PCI compliance. Ironically, many features of this solution such as ensuring consistency across stores and the integrity of data files are identical to the management requirements of customer-focused applications such as music, digital signage and payment switching. Consequently, these types of applications can be included at minimal incremental cost. An ultimate goal of virtualization in retail systems is the "store-in-a-box" concept, where entire store systems architectures are virtualized on a single physical hardware platform.
A slight disadvantage is largely around the up-front time required to design and test a virtual configuration. However, for multi-site retailers this not much of a disadvantage. Retailers are in the business of building distribution channels and systems that can scale efficiently across hundreds or thousands of locations. The initial investment of time can be amortized over the entire retail chain. Simply put, the more store systems that leverage virtualization, the better the economics become, which is what the retail technology industry is really all about in the first place.
We believe that Retail CIOs should consider this newly-available path to compliance when meeting the challenges of security and compliance across their enterprises.
Mark Weiner is managing partner of Reliant Security.