PCI Council Releases New Guidance for Virtualization

The PCI Security Standards Council recently released new supplemental guidance (PDF) regarding PCI compliance considerations for the use of virtualization technologies.

While there are no new requirements here, there are numerous clarifications and suggestions for applying existing PCI DSS requirements in a virtualized environment.

As outlined in the guidance document:

There are four simple principles associated with the use of virtualization in cardholder data environments:

If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

The document then goes on to explain the various risks associated with virtualization, which are categorized as follows:

Vulnerabilities in the Physical Environment Apply in a Virtual Environment
Hypervisor Creates New Attack Surface
Increased Complexity of Virtualized Systems and Networks
More Than One Function per Physical System
Mixing VMs of Different Trust Levels
Lack of Separation of Duties
Dormant Virtual Machines
VM Images and Snapshots
Immaturity of Monitoring Solutions
Information Leakage between Virtual Network Segments
Information Leakage between Virtual Components

In addition to providing detailed guidance for addressing each of the above risks, an appendix adds detailed clarifications related to each individual PCI DSS requirement that is likely to apply to virtualization technologies.

While the PCI Council is clear to point out that this document does not replace or supersede the PCI DSS itself, any organizations using virtualization technologies and needing to comply with the PCI DSS would be well advised to review this guidance to ensure these risks have been sufficiently addressed.

Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services

Enhance your security strategy to address your changing working environment and risk profile due to COVID-19. HALOCK is a trusted cyber security consulting firm, penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States.

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)