The PCI Security Standards Council recently released new supplemental guidance (PDF) regarding PCI compliance considerations for the use of virtualization technologies.
While there are no new requirements here, there are numerous clarifications and suggestions for applying existing PCI DSS requirements in a virtualized environment.
As outlined in the guidance document:
There are four simple principles associated with the use of virtualization in cardholder data environments:
a. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.
The document then goes on to explain the various risks associated with virtualization, which are categorized as follows:
- Vulnerabilities in the Physical Environment Apply in a Virtual Environment
- Hypervisor Creates New Attack Surface
- Increased Complexity of Virtualized Systems and Networks
- More Than One Function per Physical System
- Mixing VMs of Different Trust Levels
- Lack of Separation of Duties
- Dormant Virtual Machines
- VM Images and Snapshots
- Immaturity of Monitoring Solutions
- Information Leakage between Virtual Network Segments
- Information Leakage between Virtual Components
In addition to providing detailed guidance for addressing each of the above risks, an appendix adds detailed clarifications related to each individual PCI DSS requirement that is likely to apply to virtualization technologies.
While the PCI Council is clear to point out that this document does not replace or supersede the PCI DSS itself, any organizations using virtualization technologies and needing to comply with the PCI DSS would be well advised to review this guidance to ensure these risks have been sufficiently addressed.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services