What does PCI DSS Requirement 2.2.1 ("Implement only one primary function
per server (for example, web servers, database servers, and DNS should
be implemented on separate servers)") mean in virtualized environments?
Is it "one function per VM instance" or "one function per physical server?"
I've heard reports of QSA interpreting it either way, which means that millions of dollars of IT investments might be at stake.
Here are some arguments that I've heard about:
- "VM instance is NOT a server" - thus physical separation is required.
- "VM IS a different machine, might be different OS, etc" - thus it IS sufficient separation.
- "VM is like a VLAN" - thus VM separation IS adequate separation. Then again: some say VLANs are not sufficient separation either.