PCI SSC And Cisco Guides On Securing Virtual Systems

The Payment Card Industry Security Standards Council (PCI SSC) issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centres while ensuring PCI Data Security Standard (DSS) compliance where necessary.

The PCI DSS Virtualisation Guidelines Information Supplement, released June 14, covers a number of virtualisation areas, including different types of virtualisation, specific notes on cloud computing and how to ensure “mixed” virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK.

The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI DSS 2.0 standard.

Further Clarification Of Regulations

Virtualisation technology introduces new risks that may not have existed in the physical environment, Kurt Roemer, chief security officer at Citrix Systems and chairman of the Virtualisation Special Interest Group, told eWEEK. The Virtualisation SIG is comprised of 33 PCI-member organisations that drafted the latest guidance.

Data stored in virtual environments are already covered by PCI DSS 2.0, which went into effect in January. PCI-compliant organisations do not have to start from scratch when looking at this guidance, Russo said. Merchants and vendors “asked for additional clarity”, and the guidance provides the explanation and details for the requirement in the context of virtualisation, Russo said.

The Virtualisation SIG looked at each requirement in PCI DSS and examined it within the context of the virtual environment. The guidance provides additional details around each requirement, Roemer said.

For example, a PCI DSS requirement specifies that administrators have to segment PCI workloads from other workloads. The guidance applied the requirement to the virtual environment to note that firewalls must segment virtual machines with different “trust zones” in a single environment, according to the document. This is especially important in a multi-tenant public cloud environment, Roemer said.

Virtual hosts are now subject to the requirement that administrators “limit access to system components and cardholder data to only those individuals whose job requires such access”, according to the guidance document, suggesting that organisations will need to implement access controls on the hypervisor, host and other components.

No Single Method Advised

The PCI Council avoids endorsing any type of technology or technique in its guidance, leaving the actual implementation to the individual enterprise. Numerous areas will evolve, such as storage, virtual networking and cloud computing, but the requirements to manage the technology should not change, Troy Leach, PCI Council’s chief standards architect, told eWEEK. Future guidance and standards will address evolving risks, Leach said.

“There is no single method for securing virtualised environments,” Russo said.

The SIG originally started out looking at server virtualisation because that was what most members were focusing on as part of their virtualisation efforts, Roemer said. However, the group discovered there were other usages, such as for applications, desktops and storage servers.

The guidance affirms that if virtualisation technologies are being used in the cardholder data environment, PCI DSS requirements must be applied. A key finding from this guidance was that even if the organisation was running the application, database or storage system on a virtual machine, the merchant needed to treat is as if it was on a physical server, Russo said.

At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organisations can achieve PCI compliance. Lindsay Parker, global retail industry director at Cisco, told eWEEK that the document, an update to a previous guide, provides guidance for different types of “store footprints”, such as size of the retail organisation and the type of services provided.

A Cook’s Tour Of PCI

The PCI implementation guide is “comparable to a cookbook, a how-to manual” on securing the organisation’s systems, including virtual and wireless infrastructure, Parker said. Unlike the guidance from the PCI Council, Cisco’s document is unabashedly promoting Cisco’s and its partners’ products, including HyTrust, RSA Security and EMC, according to Parker.

“While it would be nice” if the customers bought the full range of products in order to deploy PCI-compliant virtual environments, Cisco is hoping customers can use the detailed instructions to figure out what needs to be done to achieve compliance, Parker said.

Many retail companies and enterprises tend to view PCI compliance as a “point in time exercise”, one that is done once the audit is completed, according to Parker.

At least four other industry sectors, including government, education, health care and financial services, are taking the retail guide and modifying with industry-specific information to create customised guides for those areas, Parker said.