Virtualization guidelines issued to supplement PCI DSS 2.0

Share this article:

The PCI Security Standards Council, an organization comprised of the leading credit card brands and with a mission to thwart data leakage and stop payment cardholder data fraud, on Tuesday released "PCI DSS Virtualization Guidelines."

The 39-page document provides guidance to those enterprises in the payment chain on the use of virtualization technology in relation to their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The guidance helps to update PCI DSS into the era of cloud computing, a demand strongly urged after the last PCI DSS update in August failed to address such hot-button items as tokenizationchip-and PIN and end-to-end encryption.

“This is good.”

– Avivah Litan, VP and distinguished analyst at Gartner Research

To respond to critics and advisers, the council developed special interest groups (SIGs) to clarify the use of virtualization technology.

Led by Virtualization SIG Chair Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organizations of the council, the supplement aims to assist merchants, service providers, processors and vendors to understand how PCI DSS applies to virtual environments including:

  • Evaluating the risks of a virtualized environment;
  • Implementing additional physical access controls for host systems and securing access;
  • Isolating the security processes that could put the card data at risk; and
  • Identifying which virtualized elements should be considered "in scope" for the purposes of PCI compliance.

"It is important to recognize that while the use of virtualization technology certainly offers many benefits to organizations, the complexity of virtual configurations can lead to accidental misconfiguration or entirely new vulnerabilities that the system's designers never anticipated," Bob Russo, general manager of the PCI Security Standards Council, told SCMagazineUS.com on Tuesday. "This resource helps merchants in better understanding some of these risks and how to minimize them when considering the use of virtualization in payment card environments."

The information supplement provides PCI DSS scoping guidance, Russo added, for each "virtual system component," including hypervisors, virtual machines, virtual desktops. In addition the new document helps answer certain challenges presented by cloud computing and offers best practices that merchants and assessors should adopt to help secure their payment card data in virtual environments.

The virtualization guidance appears sound and mature, offering specific recommendations, Avivah Litan, vice president and distinguished analyst at Gartner Research, told SCMagazineUS.com on Tuesday.

"This is good," she said. "Virtualization was an area that was undefined, and this document does a good job of mapping virtualization to the PCI environment."

She did warn, however, that enforcement of the standards may prove to be a challenge.

"There is a lot of conflict of interest," she said. "Security assessors are also selling remediation services. If they start using this for their financial gain, we're in trouble."

The PCI Council is planning a webinar on June 30 to further explain the findings.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.