Enterprises get new guidance on PCI compliance in virtual environments

PCI Security Standard Council's document should benefit greatly, analysts say

Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

The PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI DSS),has released a comprehensive set of guidelines that companies can use to ensure that their virtual environments are compliant with PCI requirements.

The council's 39-page guidance document ( PDF document ) describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments, need to be applied in a virtual setting. One section provides examples of how virtualization can impact each PCI requirement, and recommends best practices for addressing them.

"The guidelines really address all aspects and usage of virtualization," by organizations that are covered under PCI rules, said Kurt Romer, chief security strategist at Citrix Systems and chairman of the PCI special interest group that drafted the document.

"We put out the document to help people understand how they should be looking at [virtualization]," from the PCI standpoint, Romer said.

One important area that the document covers relates to the hypervisor technologies that are used in hardware virtualization. The guidance makes it clear that hypervisors fall under the scope of PCI requirements if any virtual component connected to the hypervisor it is covered under PCI, he said.

Similarly, the document also makes some important recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. The document for instance, spells out how in-scope and out of scope workloads need to be segmented and the additional measures needed to achieve that in a virtual environment, Romer said.

The PCI council's latest guidance also makes important recommendations with regard to PCI compliance in cloud environments. It spells out the extent to which enterprises are responsible for ensuring compliance and the extent to which cloud vendors are responding for ensuring the right controls are in place.

The document notes that companies which choose to have their PCI workloads hosted on multi-tenant, public cloud infrastructures need to ensure that their cloud vendors have additional controls for protecting their data.

Those challenges involved in protecting PCI data in a multi-tenant environment, "may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner," the document noted. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."

The guidance document should sort out some of the prevailing confusion surrounding the applicability of PCI in virtual settings, said Jim Huguelet, an independent PCI consultant.

"This is the best document that the PCI Security Standards Council has written to date in terms of really thinking about the breadth of the [issue] and then providing specific recommendations and best practices," Huguelet said.

The clarifications surrounding hypervisors and mixed-mode environments are particularly useful because of the uncertainty that has surrounded both topics for sometime, he said.

"Traditionally there's been a fair degree of ambiguity as to how PCI applied to virtual environments," added Richard Park, product manager at Sourcefire. "The guidelines make it more explicit how PCI is applicable to virtualization."

As examples, Park pointed to sections in the guidance document that spell out how firewalls need to be used to provide segmentation between different workloads and how specialized intrusion detection and intrusion prevention tools might sometimes be needed to monitor traffic in virtual environments.

Also key are recommendations on how companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties.

"Virtualization was one of the biggest areas left untouched [by PCI rules]," said Avivah Litan, an analyst with Gartner. "It was unknown territory for a lot of people."

"This is one of the more helpful documents," Litan said. "This really fleshes things out."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityCitrix Systemssecurityfinanceindustry verticalsFinancial Servicesdata protectionPCI Security Standards Council

More about Cisco SecurityCisco SecurityCitrix Systems Asia PacificCitrix Systems Asia PacificGartnerTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts