Problem solve Get help with specific problems with your technologies, process and projects.

Can the VMware PCI Compliance Checker assess my compliance posture?

The VMware PCI Compliance Checker claims to assess the compliance of a VMware virtual environment. Does it work? SearchSecurity has the answer.

I’m trying to determine how effective the free VMware PCI Compliance Checker is. Can you give me a sense of whether a tool like this can actually give me clear insight into my organizational compliance posture?

If you have virtualized PCI environment in which VMware virtualization technology is in place, then the VMware PCI Compliance Checker possibly could be a useful tool in assisting with PCI compliance. Specifically, this tool collects data from servers and desktops and produces a detailed summary of which requirements have been met and which ones have not. The challenge with this tool is its interpretation of compliance for PCI versus that of a QSA. In short, differences could arise, creating constraints on the engagement.

Please keep in mind that these free tools are typically used as effective vendor marketing tools for up selling an organization to more expensive and costly tools.  As a QSA, a much better approach for ensuring PCI compliance with your VMware environment is to interpret the 12 PCI DSS standard requirements, where applicable, for virtual environments.  One of the biggest issues currently seen with virtualization is not provisioning, hardening, securing or locking down the hypervisor itself, as this is now in scope as being a "system component". Organizations spend time locking down the virtual matching monitors (i.e., "guest operating systems"), but are lax on the hypervisor.

And, the PCI DSS provisions have provided an excellent resource to greatly assist you in the form of a free, 39-page document titled PCI DSS Virtualization Guidelines (.pdf). This is an excellent resource that is now being used by many QSAs and numerous individuals in the PCI industry. In short, it's a must-read if you have a virtualized environment or are thinking of migrating to one.

The critical points that are highlighted within this guidance document is that organizations must really strive to meet PCI compliance in a virtualized environment, difficulties and challenges exist, and, once again, all answers and solutions are not simply black and white. The guidance paper also talks about the inherent risks of virtualization, while also providing recommendations for compliance.

In short, while VMware’s (or any vendor’s) tool may very well prove valuable, don’t assume it will correctly assess your PCI compliance posture. The guidance provided by PCI is far superior in my mind in this regard.

This was last published in September 2011

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.