The PCI Security Standards Council, an organization comprised of the leading credit card brands and with a mission to thwart data leakage and stop payment cardholder data fraud, on Tuesday released "PCI DSS Virtualization Guidelines."
The 39-page document provides guidance to those enterprises in the payment chain on the use of virtualization technology in relation to their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The guidance helps to update PCI DSS into the era of cloud computing, a demand strongly urged after the last PCI DSS update in August failed to address such hot-button items as tokenization, chip-and PIN and end-to-end encryption.
“This is good.”
– Avivah Litan, VP and distinguished analyst at Gartner Research
To respond to critics and advisers, the council developed special interest groups (SIGs) to clarify the use of virtualization technology.
Led by Virtualization SIG Chair Kurt Roemer, chief security strategist at Citrix Systems, and more than 30 participating organizations of the council, the supplement aims to assist merchants, service providers, processors and vendors to understand how PCI DSS applies to virtual environments including:
- Evaluating the risks of a virtualized environment;
- Implementing additional physical access controls for host systems and securing access;
- Isolating the security processes that could put the card data at risk; and
- Identifying which virtualized elements should be considered "in scope" for the purposes of PCI compliance.
"It is important to recognize that while the use of virtualization technology certainly offers many benefits to organizations, the complexity of virtual configurations can lead to accidental misconfiguration or entirely new vulnerabilities that the system's designers never anticipated," Bob Russo, general manager of the PCI Security Standards Council, told SCMagazineUS.com on Tuesday. "This resource helps merchants in better understanding some of these risks and how to minimize them when considering the use of virtualization in payment card environments."
The information supplement provides PCI DSS scoping guidance, Russo added, for each "virtual system component," including hypervisors, virtual machines, virtual desktops. In addition the new document helps answer certain challenges presented by cloud computing and offers best practices that merchants and assessors should adopt to help secure their payment card data in virtual environments.
The virtualization guidance appears sound and mature, offering specific recommendations, Avivah Litan, vice president and distinguished analyst at Gartner Research, told SCMagazineUS.com on Tuesday.
"This is good," she said. "Virtualization was an area that was undefined, and this document does a good job of mapping virtualization to the PCI environment."
She did warn, however, that enforcement of the standards may prove to be a challenge.
"There is a lot of conflict of interest," she said. "Security assessors are also selling remediation services. If they start using this for their financial gain, we're in trouble."
The PCI Council is planning a webinar on June 30 to further explain the findings.