PCI: New Guidance Addresses RisksIn Virtual Environments, Data Security Standards Still Apply
Bob Russo, general manager of the council, says while virtualization offers benefits, such as cost reduction and infrastructure neutrality, it also opens the door for new and unexpected risks. And as more merchants, financial institutions and other organizations virtualize systems and services, they need to ensure those systems and services comply with payment-card protections outlined within the Payment Card Industry Data Security Standard.
"This paper helps with the payment card security programs for merchants," Russo says. "They asked for additional clarity, and we've provided it here."
And the key takeaway from the guidance, Russo says: "There is no single method for securing virtualized environments."
Released today, the PCI DSS Virtualization Guidelines Information Supplement, drafted by the council's Virtualization Special Interest Group, touches on a number of gray areas, including the different classes of virtualization, how virtualization and cloud computing differ and how mixed mode virtual environments should be implemented under the PCI umbrella. The supplement offers complementary information to PCI-DSS 2.0, which was released in October.
The supplement addresses four principles associated with the use of virtualization in cardholder data environments:
- If virtualization technologies are used in a cardholder data environment, PCI DSS requirements must be applied;
- Virtualization technology introduces new risks that may not be relevant to other technologies;
- Implementations of virtual technologies can vary greatly, and organizations must perform thorough discoveries to identify and document unique characteristics of their virtualized implementations, including all interactions with payment transaction processes and payment card data;
- Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.
Know the Risks"The risks span the gamut of technology and business processes," says Kurt Roemer chief security strategist of virtualization provider Citrix Systems and chairman of the Virtualization Special Interest Group, which compromises 33 PCI-member organizations. "People are just getting into using virtualization. And the widespread adoption of mobility and what that means for the payment card industry is something we are considering when it comes to virtualization. Information that is being transmitted versus information that is stored in a virtual environment requires different security measures."
When it comes to securing the virtual environment, it's not a "one size fits all" approach, Roemer says. "It's important to understand what kind of technologies you're working with. You could have data center, client and networking technologies. By splitting it off into those three primary areas, you can determine what areas should be sourced or outsourced or hosted. By considering all of those holistically, you can determine how PCI controls should be applied."
PCI-DSS is the baseline for securing cardholder data, Russo says. Working from that baseline, the new guidance addresses specific points of virtualization, to help merchants ensure they are complying with PCI-DSS, even when they sign with a vendor who manages the virtual platform. "In a public cloud environment, you typically have limited controls," Russo says. Merchants and other entities touching card payments need to ensure that cardholder data is protected across the chain, even if part of the chain is managed in or outsourced to the cloud.
"We need to make sure that if these virtual components are in place, and if part of them are in the cardholder data environment, that these organizations better understand how these system components could be applicable to PCI-DSS and the PCI-DSS requirements," Russo says.
For more on PCI Virtualization Guidance: Please listen to this exclusive interview with Bob Russo and Kurt Roemer.