Anitian Enterprise Security
888.ANITIAN
info@anitian.com

Company

Article

The Quick Facts on PCI Compliance & Virtualization

By Andrew Plato, CISSP, CISM, QSA
President / Principal Consultant
Anitian Enterprise Security

In June of 2011, the PCI Security Standards Council published "Information Supplement: PCI DSS Virtualization Guidelines." This document (https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf) is designed to help companies understand how PCI requirements apply to virtualized environments.

Many people are still digesting the formal guidelines, but this article offers a summary of the document's contents, and explores some of the important ramifications of PCI compliance in a virtualized environment. This article is not an introduction to virtualization -- it is expected that readers are already familiar with virtualization and its implementation.

Virtualized Environments - What is In Scope?

The simplest answer here is almost everything. If some of the hosts in a virtualized environment are in scope for PCI, then a great deal of the virtualized environment will be in scope as well.

The guidance specifically states that the entire "stack" of a virtual environment is in-scope. So, for a virtualized environment with 20 servers running on a cluster of VMware systems, if three instances are involved in PCI compliance, (and therefore in scope) then the entire VM "stack" is in scope. That includes the hardware, the hypervisor, and any virtualized network. The other 17 servers could be removed from scope, but they must use an different network, with a firewall or similar control segregating it from the network that is in-scope. Other access controls in the hypervisor and management may be necessary as well.

These same principles also apply to virtualized storage, networking, and desktops. If any components running in a virtualized environment are in scope, then the entire stack -- from the hardware to the individual instance of the host or storage area is in scope.

The best advice is to reduce or otherwise limit the number of devices in-scope. This means having clear and definable access controls between in and out of scope systems. Remember that even if other hosts on a virtual environment out of scope, the virtual OS or hypervisor is in-scope.

Wait, the Hypervisor is In-Scope?

Yes. If even one server in a virtual environment is in-scope, then the hypervisor (the operating system, such as VMware ESXi, which interfaces directly with the hardware) is in-scope and must be secured with the standard PCI requirements (logging, file integrity, IDS, etc.) for all devices in-scope.

What about Virtualized Networks?

Yes. If payment card data traverses a virtualized network, then all components of that network are in scope, such as the network, the virtual switch, any virtual firewalls, and the hypervisor where those components run.

What about Cloud Providers?

Cloud providers add an additional layer of complexity to in scope systems. The simplest answer is that applications or hosts that process, transmit, or store payment card data should only be hosted on cloud computing providers who are PCI DSS compliant.

Ownership must also be considered. The owner of the data, control, application, or system is responsible for ensuring compliance. Cloud computing can blur the lines of ownership, but the simple fact is that any organization handling payment cards is ultimately responsible for the card holder data. There is a limit to how much can be outsourced, and outsourcing does not always remove or reduce the responsibility for PCI compliance.

Where do I get Help?

A Qualified Security Assessor (QSA) for PCI compliance is the best source for guidance. Acquirers and the PCI Standards Council entrust QSAs to make judgment calls on how to interpret the PCI standard and the relevant guidelines. A QSA should be able to offer documented guidance regarding any questions or issues surrounding a virtualized environment and PCI compliance.

Moreover, most acquirers will defer to the judgment of a QSA in regard to how to properly segment, isolate and secure in-scope systems.

Anitian’s Advice

The easiest way to avoid PCI issues with a virtualized environments is to avoid mixing systems that are in-scope and out-of-scope in the same virtual environment. While this may not seem like an ideal solution, the cost and complexity of implementing controls in the virtual environment may be higher than simply deploying a dedicated environment for PCI. For smaller organizations, it may be easier to relocate PCI systems that are in scope to dedicated hardware.

If in-scope and out-of-scope systems must co-exist in the same virtual environment, then proper segmentation is critical. Systems that are in-scope need to have their own network stack and should be isolated in their own storage repository as well.

Anitian encourages anyone architecting a new DMZ or web environment to completely isolate all in-scope hosts to dedicated hardware, if possible. This can simplify segmentation and avoid the complexities of implementing access controls within a mixed use environment.

Conclusion

This article is presents a very quick and high-level assessment of the current virtualization guidelines. For additional guidance or questions, consult the PCI Standard Council Virtualization Guidelines document or a Qualified Security Assessor (QSA).

For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.

Home | Services | Products | About Us | Events | Support | Info
FacebookLinkedInTwitterRSS FeedEmail
All material in this web site is copyright © 1995-2012, Anitian Corporation. All Rights Reserved Worldwide.
Please read Anitian's copyright and privacy policy page for more information.