I’m trying to determine how effective the free VMware PCI Compliance Checker is. Can you give me a sense of whether...
a tool like this can actually give me clear insight into my organizational compliance posture?
If you have virtualized PCI environment in which VMware virtualization technology is in place, then the VMware PCI Compliance Checker possibly could be a useful tool in assisting with PCI compliance. Specifically, this tool collects data from servers and desktops and produces a detailed summary of which requirements have been met and which ones have not. The challenge with this tool is its interpretation of compliance for PCI versus that of a QSA. In short, differences could arise, creating constraints on the engagement.
Please keep in mind that these free tools are typically used as effective vendor marketing tools for up selling an organization to more expensive and costly tools. As a QSA, a much better approach for ensuring PCI compliance with your VMware environment is to interpret the 12 PCI DSS standard requirements, where applicable, for virtual environments. One of the biggest issues currently seen with virtualization is not provisioning, hardening, securing or locking down the hypervisor itself, as this is now in scope as being a "system component". Organizations spend time locking down the virtual matching monitors (i.e., "guest operating systems"), but are lax on the hypervisor.
And, the PCI DSS provisions have provided an excellent resource to greatly assist you in the form of a free, 39-page document titled PCI DSS Virtualization Guidelines (.pdf). This is an excellent resource that is now being used by many QSAs and numerous individuals in the PCI industry. In short, it's a must-read if you have a virtualized environment or are thinking of migrating to one.
The critical points that are highlighted within this guidance document is that organizations must really strive to meet PCI compliance in a virtualized environment, difficulties and challenges exist, and, once again, all answers and solutions are not simply black and white. The guidance paper also talks about the inherent risks of virtualization, while also providing recommendations for compliance.
In short, while VMware’s (or any vendor’s) tool may very well prove valuable, don’t assume it will correctly assess your PCI compliance posture. The guidance provided by PCI is far superior in my mind in this regard.
Related Q&A from Charles Denyer, Compliance, Frameworks
Charles Denyer explains the necessity of encrypting customer data with respect to HIPAA encryption requirements and squares out what enterprises ...continue reading
Struggling to develop an ISO implementation plan? Expert Charles Denyer offers advice on getting started with an enterprise ISO implementation.continue reading
Charles Denyer offers advice for developing a vendor compliance checklist to support a vendor review process or a third-party vendor audit.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.