The PCI Data Security Standard is often described as prescriptive, but some security experts are concerned about...
its lack of virtualization-specific guidance.
An updated version of the standard released in October clarified a number of issues, but Randall Gamby, an analyst at Burton Group, noted in a Dec. 1 report that it continues to overlook virtualized environments.
"The PCI DSS still doesn't officially recognize virtualized servers, even though they are being used today in many data centers," he wrote. "This means that no acceptable requirements exist for QSAs (Qualified Security Assessors) to audit these technologies for compliance, so QSAs must use their own judgment to determine whether organizations that implement virtualized servers meet the PCI requirements."
In a phone interview, Gamby said a general problem with the standard is that it leaves room for interpretation by QSAs, creating the risk that an organization might be deemed non-compliant by a QSA, even if they followed the rules; virtualization compounds this problem.
"We as analysts struggle to figure out what security is in the virtualized world, let alone someone with an audit attestation responsibility trying to figure out what that really means, especially when it comes to PCI," he said.
Christofer Hoff, a chief security architect at Unisys Corp. and a frequent speaker on virtualization security, wrote about the need for the PCI Security Standards Council to address the challenges associated with virtualization and PCI compliance on his blog, Rational Survivability.
"The PCI Security Standards Council doesn't even have a SIG [special interest group] for virtualization and yet we see the crushing onslaught of virtualization with no guidance and this tidal wave has been rushing at us for at least 3-5 years," he wrote in his Rational Survivability blog.
Hoff applauded the recent addition of VMware to the PCI Security Standards Council (SSC), calling it a wise move. VMware announced Nov. 12 that it was joining the PCI SSC and would provide feedback to help develop PCI DSS so that VMware customers can become compliant.
Gamby was encouraged by the addition of VMware to the council, but added that members simply pay $2,000 to join. VMware is just one of 500 participating organizations plus the five card brands, which have the biggest voice in the standard, he said.
"It's a whisper in a corner, but there has been pent-up demand for them to address virtualized services, so it's encouraging," he said.
Asked through a spokesperson if there is a timeline for updating PCI DSS with virtualization-specific guidelines and whether there is a plan to form a virtualization SIG, Troy Leach, PCI SSC technical director, responded via email.
"Virtualization is an important issue to our members. We are seeing a rise in the use of virtual servers in the marketplace and by our participating organizations. As a result, the council is evaluating various options for the New Year to address more formally, with our participating organizations, how virtualization applies to the current requirements of the PCI Data Security Standard and where we take the DSS in the future," he said.
"The council tries to maintain a technology-neutral approach and address specifically the risk associated with the cardholder data environment," he added. "The council is currently evaluating, in partnership with our participating organizations and assessor community, whether the current requirements of version 1.2 of the PCI Data Security Standard mitigate emerging threats and vulnerabilities related to virtual components. The council hopes to provide clarity on the topic in the upcoming year."
Hoff, in a phone interview, said PCI DSS is very broad, so he understands why the council needs to be careful in making changes to it. Still, the business impact of a technology that's seeing such growth must be addressed sooner rather than later, he said.
He's been frustrated by the council's lack of response to forming a virtualization SIG, something he and others had been offering help with. In October, Hoff got a short response from the PCI SCC saying there was no such SIG, and no firm plans to form one. The council earlier this year formed two SIGs; one addresses the security of credit card data prior to authorizing a transaction, and the other focuses on wireless transmission of credit card information.
Diana Kelley, founder and partner at consulting firm Security Curve, said the biggest concern with virtualization and PCI is the "one function per server" in Requirement 2.2.1.
"Some PCI auditors feel this means no virtualization if there are multiple functions running on the same hardware. Other auditors read the intent of the requirement to mean per server 'instance', so virtual servers are acceptable as long as they are function restricted," she said in an email.
Kelley believes if virtual servers are properly protected according to PCI rules, such as single function per instance, access control and monitoring, "they could be part of a compliant CDE [cardholder data environment] and that it's not a big issue." However, problems could arise if virtualization is used as a de-facto scope/zoning argument, she said.
"For example, if there are CDE and non-CDE virtual servers on the same hardware and the merchant/retailer argues that the virtualization alone provides adequate zoning and separation, there would still need to be firewalling -- as per PCI -- in place to separate the virtual servers into zones and proper monitoring on the hardware and virtual switching to ensure traffic isn't passing inappropriately from one server instance to another," she explained.