Enterprises get new guidance on PCI compliance in virtual environments

PCI Security Standard Council's document should benefit greatly, analysts say

Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

The PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI DSS),has released a comprehensive set of guidelines that companies can use to ensure that their virtual environments are compliant with PCI requirements.

The council's 39-page guidance document ( PDF document ) describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments, need to be applied in a virtual setting. One section provides examples of how virtualization can impact each PCI requirement, and recommends best practices for addressing them.

"The guidelines really address all aspects and usage of virtualization," by organizations that are covered under PCI rules, said Kurt Romer, chief security strategist at Citrix Systems and chairman of the PCI special interest group that drafted the document.

"We put out the document to help people understand how they should be looking at [virtualization]," from the PCI standpoint, Romer said.

One important area that the document covers relates to the hypervisor technologies that are used in hardware virtualization. The guidance makes it clear that hypervisors fall under the scope of PCI requirements if any virtual component connected to the hypervisor it is covered under PCI, he said.

Similarly, the document also makes some important recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. The document for instance, spells out how in-scope and out of scope workloads need to be segmented and the additional measures needed to achieve that in a virtual environment, Romer said.

The PCI council's latest guidance also makes important recommendations with regard to PCI compliance in cloud environments. It spells out the extent to which enterprises are responsible for ensuring compliance and the extent to which cloud vendors are responding for ensuring the right controls are in place.

The document notes that companies which choose to have their PCI workloads hosted on multi-tenant, public cloud infrastructures need to ensure that their cloud vendors have additional controls for protecting their data.

Those challenges involved in protecting PCI data in a multi-tenant environment, "may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner," the document noted. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."

The guidance document should sort out some of the prevailing confusion surrounding the applicability of PCI in virtual settings, said Jim Huguelet, an independent PCI consultant.

"This is the best document that the PCI Security Standards Council has written to date in terms of really thinking about the breadth of the [issue] and then providing specific recommendations and best practices," Huguelet said.

The clarifications surrounding hypervisors and mixed-mode environments are particularly useful because of the uncertainty that has surrounded both topics for sometime, he said.

"Traditionally there's been a fair degree of ambiguity as to how PCI applied to virtual environments," added Richard Park, product manager at Sourcefire. "The guidelines make it more explicit how PCI is applicable to virtualization."

As examples, Park pointed to sections in the guidance document that spell out how firewalls need to be used to provide segmentation between different workloads and how specialized intrusion detection and intrusion prevention tools might sometimes be needed to monitor traffic in virtual environments.

Also key are recommendations on how companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties.

"Virtualization was one of the biggest areas left untouched [by PCI rules]," said Avivah Litan, an analyst with Gartner. "It was unknown territory for a lot of people."

"This is one of the more helpful documents," Litan said. "This really fleshes things out."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data securitydata protectionfinanceFinancial Servicesindustry verticalsPCI Security Standards CouncilCitrix Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?