PCI Updates Data Security Standard to Clarify Virtualization Rules

PCI DSS 2.0 clarifies the one-function-per-server rules to allow PCI compliant systems to run on virtual machines.

New data security guidelines for processing credit card payments clarifies the virtualization questions that have stymied organizations trying to move ahead with their cloud strategy, said HyTrust on Oct. 29.

The first major change to the PCI DSS (Payment Card Industry Data Security Standard) since July 2009, the new rules are more explicit about protecting cardholder data on virtual machines, said Hemma Prafullchandra, chief technology officer of HyTrust and a member of the PCI Virtualization Special Interest Group, on a call with eWEEK. Under the new PCI DSS 2.0 rules, system components can be physical or virtual machines, she said.

The previous version of the PCI DSS required organizations to "implement only one primary function per server," said Prafullchandra. This meant organizations working with credit card processing applications had to have each system, such as Web servers, database servers, and DNS boxes, on separate servers.

The previous PCI standard did not address whether multiple virtual machines running on a single hypervisor were considered as one server or not, said Prafullchandra.

On one hand, it's good policy to separate the functions so that in case of hardware failure, only one application is affected. However, virtualization is a necessity in the modern data center and organizations are increasingly shifting critical applications to the cloud. Not knowing how the PCI standard applied to virtual machines deterred many organizations from moving their credit card data environments to private clouds, according to HyTrust.

The v2.0 standard clarified the one-server rule by stating that in a virtualized environment, IT managers could have multiple VMs on a single server as long as each image implemented one primary function, said Prafullchandra.

In other words, there can be a VM for a Web server and a VM for the database server running side by side under a hypervisor on a physical server. However, a Web server and a database server can't be installed onto the same virtual machine.

The clarification is important because it allows organizations that have held back from virtualizing systems that are required to be PCI compliant to proceed with their virtualization program, said Prafullchandra.

The whitepaper also outlines configuration guidelines and "best practices" information for organizations interested in moving their credit card processing systems to the cloud, according to HyTrust.

The CDE refers to systems that processes, stores or transacts cardholder data or sensitive authentication data, said Prafullchandra.

Cardholder data consists of information contained within the full magnetic stripe of a credit card or the primary account number, cardholder name, expiration date and service code.

Cardholder data environment doesn't apply to only systems belonging to Visa, MasterCard and banks, said Renata Budko, co-founder and vice-president of marketing at HyTrust. It also includes "anyone that takes credit card information," and they also need to follow the compliance rules, she said.

As part of the whitepaper collaboration, HyTrust, Cisco, VMware and Coalfire developed and implemented the reference architecture in Savvis Labs. Even though the standard is intended to be vendor agnostic, the authors of the PCI-compliant cloud reference architecture whitepaper concluded that a PCI compliant cloud could be achieved enabling security controls available in technologies from VMware, Cisco and HyTrust.

Some of the big names in the virtualization space collaborated on the PCI DSS 2.0. Members of the PCI DSS Virtualization Special Interest Group (vSIG) included Cisco, VMware, HyTrust, Coalfire, and Savvis.

While the standard is available for review, it doesn't go into effect until Jan. 11. Additional guidance on how to secure the cardholder data environment with virtual system components will be provided by vSIG later this year, according to HyTrust.

PCI DSS 2.0 also included updates log management rules.