Credit card payment processing methods and the infrastructure and systems that support these processes have evolved significantly over the years. It is not uncommon to have applications where the software stack is running on different compute platforms and geographically dispersed. Organizations are also using third-party cloud services to deliver discreet activities in the shopping and payment process. As the scope of PCI broadens to include an increasing range of on-premise and third-party services, and a combination of old and legacy technologies, visibility and control become more critical.
Illumio partnered with Protiviti, one of the world’s leading Payment Card Industry Qualified Security Assessors (PCI QSA), to observe how Illumio ASP can help organizations meet their PCI DSS requirements. We provided Protiviti with a demo-test environment. Protiviti deployed several VENs (the Illumio agent) in the Protiviti-managed public cloud environment and paired them with the PCE in the Illumio environment so that they could test, review, and observe capabilities.
The outcome of this collaboration includes the white paper, The Illumio Adaptive Security Platform – Supporting PCI DSS Requirements, which maps Illumio’s abilities to support, potentially meet, or be enabled as a compensating control for 8 of the 12 PCI DSS 3.2.1 requirements. The table below provides a summary and the paper offers a more detailed analysis of each control.
If you're a PCI customer, you and your QSAs should view the findings and considerations provided in this report as a starting point for evaluating how Illumio ASP can enable and support PCI DSS compliance in your own environment.