The PCI Security Standards Council recently released new supplemental guidance (PDF) regarding PCI compliance considerations for the use of virtualization technologies.
While there are no new requirements here, there are numerous clarifications and suggestions for applying existing PCI DSS requirements in a virtualized environment.
As outlined in the guidance document:
There are four simple principles associated with the use of virtualization in cardholder data environments:
- If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
- Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
- Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
- There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.
The document then goes on to explain the various risks associated with virtualization, which are categorized as follows:
- Vulnerabilities in the Physical Environment Apply in a Virtual Environment
- Hypervisor Creates New Attack Surface
- Increased Complexity of Virtualized Systems and Networks
- More Than One Function per Physical System
- Mixing VMs of Different Trust Levels
- Lack of Separation of Duties
- Dormant Virtual Machines
- VM Images and Snapshots
- Immaturity of Monitoring Solutions
- Information Leakage between Virtual Network Segments
- Information Leakage between Virtual Components
In addition to providing detailed guidance for addressing each of the above risks, an appendix adds detailed clarifications related to each individual PCI DSS requirement that is likely to apply to virtualization technologies.
While the PCI Council is clear to point out that this document does not replace or supersede the PCI DSS itself, any organizations using virtualization technologies and needing to comply with the PCI DSS would be well advised to review this guidance to ensure these risks have been sufficiently addressed.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
Enhance your security strategy to address your changing working environment and risk profile due to COVID-19. HALOCK is a trusted cyber security consulting firm, penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States.
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/