PCI Council, Cisco Provide Guidance on PCI-Compliant Virtual Systems

The PCI Council releases a draft guidance of how merchants should be securing virtual environments to be PCI compliant while Cisco delivers its own guide showing how retail enterprises can achieve PCI compliance.

The PCI Security Standards Council issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centers while ensuring PCI compliance where necessary.

The PCI DSS Virtualization Guidelines Information Supplement, released June 14, covers a number of virtualization areas, including different types of virtualization, specific notes on cloud computing and how to ensure "mixed" virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK. The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI-DSS 2.0 standard.

Virtualization technology introduces new risks that may not have existed in the physical environment, Kurt Roemer, chief security officer at Citrix Systems and chairman of the Virtualization Special Interest Group, told eWEEK. The Virtualization SIG is comprised of 33 PCI-member organizations and drafted the latest guidance.

Data stored in virtual environments are already covered by PCI DSS 2.0, which went into effect in January. PCI-compliant organizations don't have to start from scratch when looking at this guidance, Russo said.

Merchants and vendors "asked for additional clarity," and the guidance provides the explanation and details for the requirement in the context of virtualization, Russo said.

The Virtualization SIG looked at each requirement in PCI DSS and examined it within the context of the virtual environment. The guidance provides additional details around each requirement, Roemer said.

For example, a PCI DSS requirement specifies that administrators have to segment PCI workloads from other workloads. The guidance applied the requirement to the virtual environment to note that firewalls must segment virtual machines with different "trust zones" in a single environment, according to the document. This is especially important in a multi-tenant public cloud environment, Roemer said.

Virtual hosts are now subject to the requirement that administrators "limit access to system components and cardholder data to only those individuals whose job requires such access," according to the guidance document, suggesting that organizations will need to implement access controls on the hypervisor, host and other components.

The PCI Council avoids endorsing any type of technology or technique in its guidance, leaving the actual implementation to the individual enterprise. Numerous areas will evolve, such as storage, virtual networking and cloud computing, but the requirements to manage the technology should not change, Troy Leach, PCI Council's chief standards architect, told eWEEK. Future guidance and standards will address evolving risks, Leach said.

"There is no single method for securing virtualized environments," Russo said.

The SIG originally started out looking at server virtualization because that was what most members were focusing on as part of their virtualization efforts, Roemer said. However, the group discovered there were other usages, such as for applications, desktops and storage servers.

The guidance affirms that if virtualization technologies are being used in the cardholder data environment, PCI DSS requirements must be applied. A key finding from this guidance was that even if the organization was running the application, database or storage system on a virtual machine, the merchant needed to treat is as if it was on a physical server, Russo said.

At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organizations can achieve PCI compliance. The document provide guidance for different types of "store footprints," such as size of the retail organization and the type of services provided, Lindsay Parker, global retail industry director at Cisco, told eWEEK..

The PCI implementation guide is "comparable to a cookbook, a how-to manual" on securing the organization's systems, including virtual and wireless infrastructure, Parker said. Unlike the guidance from the PCI Council, Cisco's document is unabashedly promoting Cisco's and its partners' products, including HyTrust, RSA Security and EMC, according to Parker.

"While it would be nice" if the customers bought the full range of products in order to deploy PCI-compliant virtual environments, Cisco is hoping customers can use the detailed instructions to figure out what needs to be done to achieve compliance, Parker said.

Many retail companies and enterprises tend to view PCI compliance as a "point in time exercise," one that is done once the audit is completed, according to Parker.

At least four other industry sectors, including government, education, health care and financial services, are taking the retail guide and modifying with industry-specific information to create customized guides for those areas, Parker said.