The PCI Security Standards Council is warning merchants about the complexities of protecting credit card data running in virtualized systems and cautioning that some configurations may make it nearly impossible for organizations to achieve compliance.
The PCI DSS Virtualization Guidelines Information Supplement (.pdf), issued in June, has long been awaited by merchants, qualified security assessors (QSAs) and other security experts. In addition to providing information on virtualized systems located within the network, the document addresses merchants using cloud computing services for payment transactions.
While the PCI virtualization document could help reduce the ambiguity in how QSAs assess virtualized environments, the report may be too broad, says Diana Kelley, a partner with Amherst, N.H.-based consulting firm SecurityCurve.
“There's a lot of useful information here and it's a step towards better information on how to protect cardholder data in a virtualized environment,” Kelley says. “Given the scope of this document being both virtualization and cloud, it may raise as many questions as it answers.”
The report is grounded in four basic principles: PCI DSS requirements apply to virtualization technologies if cardholder data is present; the technology introduces new risks that must be assessed; the virtual environment must be thoroughly documented to include all interactions with cardholder data; and controls and procedures will vary because there’s no one-size-fits-all configuration.
The same basic approach to physical cardholder environments is being applied to virtual environments. Merchants deploying virtualized systems can limit the scope of a PCI assessment if they segment in-scope components from out-of-scope components.
According to the PCI SSC, the hypervisor will always be in scope for PCI DSS if it connects to a system containing credit card data. Access to the hypervisor should be restricted and activity monitoring conducted. In addition, the entire VM is in scope, including the underlying operating system if it contains cardholder data or if it connects to an entry point into the card data environment. Virtual IDS/IPS, firewalls and other security appliances, as well as virtual routers and switches, will be considered in scope if they connect to in-scope system components.
“Weaknesses in hypervisor isolation technology, access controls, security hardening and patching could be identified and exploited, allowing attackers to gain access to individual VMs,” according to the PCI virtualization report.
The council also warned organizations against mixing VMs of different security levels and advised that isolating systems containing cardholder data may be impossible if the in-scope and out-of-scope components are hosted on the same hypervisor. The guidance reflects the PCI DSS, which states that organizations must implement one primary function per virtualized server to prevent functions that require different security levels from co-existing on the same server.
“As a general rule, any VM or virtual component that is hosted on the same hardware or hypervisor as an in-scope component would also be in scope for PCI DSS,” according to the council’s guidance.
Virtual applications and desktops should also be considered in scope if they are involved in the processing, storage or transmission of credit card data or provide access to the card data environment.
For organizations using public cloud service providers, the PCI council warns that in multitenant environments the “physical isolation between tenants is not practical,” because all resources are shared. The document warns merchants to thoroughly understand the details of the services being offered by cloud service providers. The service provider must clearly define and document the responsibilities assigned to each party for maintaining PCI DSS requirements.
Security Curve’s Kelley says Visa provides merchants with a list of cloud service providers that have been validated for PCI. She says despite the validation, the onus is on merchants to isolate systems containing cardholder data and put effective controls in place to maintain PCI compliance.
“Your cloud provider can be validated, but what is done in the provider’s cloud is the merchant’s responsibility,” Kelley says.
The PCI virtualization report was developed by the PCI Council’s Virtualization Special Interest group, chaired by Kurt Roemer, Citrix chief security strategist, and representatives from companies that include Bank of America, L.L. Bean, AT&T, HP, Savvis, Southwest Airlines, VMware and Verizon Business.
Robert Westervelt is the news director of SearchSecurity.com. Send comments on this article to email@example.com