The PCI Council releases a draft guidance of how merchants should be securing virtual environments to be PCI compliant while Cisco delivers its own guide showing how retail enterprises can achieve PCI compliance.
The PCI Security Standards Council issued a new guidance to
help IT administrators deploy and manage cloud environments and virtual data
centers while ensuring PCI compliance where necessary.
DSS Virtualization Guidelines Information Supplement
, released June 14,
covers a number of virtualization areas, including different types of
virtualization, specific notes on cloud computing and how to ensure "mixed"
virtual environments are compliant, Bob Russo, the general manager of the PCI
Council, told eWEEK. The guidance does not contain new requirements or
standards but is intended to be a primer on how to ensure virtual environments
comply with the existing PCI-DSS 2.0 standard.
Virtualization technology introduces new risks that may not
have existed in the physical environment, Kurt Roemer, chief security officer
at Citrix Systems and chairman of the Virtualization Special Interest Group,
told eWEEK. The Virtualization SIG is comprised of 33 PCI-member organizations
and drafted the latest guidance.
Data stored in virtual environments are already covered by PCI DSS
2.0, which went into effect in January. PCI-compliant organizations
don't have to start from scratch when looking at this guidance, Russo
Merchants and vendors "asked for additional clarity," and
the guidance provides the explanation and details for the requirement in the
context of virtualization, Russo said.
The Virtualization SIG looked at each requirement in PCI DSS
and examined it within the context of the virtual environment. The guidance
provides additional details around each requirement, Roemer said.
For example, a PCI DSS requirement specifies that
administrators have to segment PCI workloads from other workloads. The guidance
applied the requirement to the virtual environment to note that firewalls must
segment virtual machines with different "trust zones" in a single environment,
according to the document. This is especially important in a multi-tenant
public cloud environment, Roemer said.
Virtual hosts are now subject to the requirement that
administrators "limit access to system components and cardholder data to only
those individuals whose job requires such access," according to the guidance
document, suggesting that organizations will need to implement access controls
on the hypervisor, host and other components.
The PCI Council avoids endorsing any type of technology or
technique in its guidance, leaving the actual implementation to the
individual enterprise. Numerous areas will evolve, such as storage,
virtual networking and cloud computing, but the requirements to manage
the technology should not change, Troy Leach, PCI Council's chief
standards architect, told eWEEK. Future guidance and standards will
address evolving risks, Leach said. "There is no single method for securing virtualized
environments," Russo said.
The SIG originally started out looking at server
virtualization because that was what most members were focusing on as part of
their virtualization efforts, Roemer said. However, the group discovered there
were other usages, such as for applications, desktops and storage servers.
The guidance affirms that if virtualization technologies are
being used in the cardholder data environment, PCI DSS requirements must be
applied. A key finding from this guidance was that even if the organization was
running the application, database or storage system on a virtual machine, the
merchant needed to treat is as if it was on a physical server, Russo said.
At the same time, Cisco announced it will be releasing a
Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help
enterprises and retail customers with an in-depth guide on how organizations
can achieve PCI compliance. The document provide guidance for different types
of "store footprints," such as size of the retail organization and the type of
services provided, Lindsay Parker, global retail industry director at Cisco,
The PCI implementation guide is "comparable to a cookbook, a
how-to manual" on securing the organization's systems, including virtual and
wireless infrastructure, Parker said. Unlike the guidance from the PCI Council,
Cisco's document is unabashedly promoting Cisco's and its partners' products,
including HyTrust, RSA Security and EMC, according to Parker.
"While it would be nice" if the customers bought the full
range of products in order to deploy PCI-compliant virtual environments, Cisco
is hoping customers can use the detailed instructions to figure out what needs
to be done to achieve compliance, Parker said.
Many retail companies and enterprises tend to view PCI
compliance as a "point in time exercise," one that is done once the audit is
completed, according to Parker.
At least four other industry sectors, including government,
education, health care and financial services, are taking the retail guide and
modifying with industry-specific information to create customized guides for
those areas, Parker said.