Virtualization in Payments
Should you do it or not?
Virtualization is a decoupling of logical servers from physical hardware. It has many advantages, a few disadvantages, but how does the general case for or against virtualization stack up when focusing on the payments industry in particular?
At EFTlab, our focus is on centralized processing, or what happens inside the data centers of our customers. That’s the sort of environment we’ll take into consideration for our evaluation. Environments closer to the cardholder, or point of transaction, will have slightly different drivers. With that in mind, let’s look at some factors that come into play when considering virtualization, and see how they relate to the payments industry in particular:
| Factor | Applicability to Payments | Comments |
| Cost |  | Overall costs are always a factor, but given the relatively high cost of specialized software and other environmental costs, the cost of “off the shelf” hardware is not as high a concern. |
| Reliability |  | Payments must be 100% reliably tracked. Data loss is a huge concern, and must be protected against. |
| Performance | | Payments need to happen quickly, without giving cause for concern with response latency. |
| Availability | | Payments is an especially risk adverse sector, and even low levels of unavailability cause concern for customers. |
| Security | | Virtualization can cause some unwelcome attention with security audits, including PCI-DSS. It is not an insurmountable obstacle, but environments need to be well segregated, whether physical or virtual. |
| Growth | | The ability to scale for increased transaction volume is paramount for increased revenue. |
Do’s and Don’ts for utilizing virtualization in payments
- Do use multiple physical servers, to provide hardware redundancy. Clustering is a fundamental requirement for virtualization in a high availability environment.
- Don’t put multiple functions or tiers on one virtual server. Try to keep to one function for one server.
- Don’t mix systems within scope for PCI with systems not in scope for PCI, even if on different virtual servers.
- Do know what you’re doing, or outsource to someone who does.
Should you do it? Almost definitely, but you need to do it the right way. The virtualized environment has to be more reliable than a dedicated server deployment, and it can be if built correctly. The advantages far outweigh the disadvantages, it provides for an overall higher level of service, and it is reliable and available technology that should be seriously considered for mission critical deployments.
