New PCI Virtualization Guidelines Answer Some Questions, Create Others
Earlier this month, the PCI Security Standards Council (SSC) added guidelines around PCI DSS for regulatory compliance for virtualized environments that also applied to data stored in the cloud. The move represented a significant shift that addressed growing security concerns created by burgeoning IT trends, experts say.
“Over the last couple of years, we’ve seen a huge adoption of virtualization inside the enterprise, and more recently, a surge of interest in the public cloud,” said Chad Loder, vice president of security solutions for Rapid7. “This is causing many questions for PCI assessors about how the PCI standards should be interpreted in these environments. However, the basic principles of PCI are still the same, regardless of where your systems are located.”
The updated PCI DSS, known as PCI DSS 2.0, addresses virtualization by mentioning that virtual machines (VMs) can compliantly handle credit card data -- as long as each VM is used for a single purpose and keeps the data separate from the rest of the IT infrastructure.
Above all, PCI 2.0 stipulates that if virtualization technologies are used in a cardholder data environment, all PCI DSS mandates are applicable to those virtualization technologies.
The supplemented PCI also acknowledges that virtualization technology introduces new risks that must be taken into consideration and assessed when moving cardholder data to virtual environments, and also states that because virtual technologies can vary greatly, organizations will be required to perform thorough data discovery to identify sensitive data used in payment card transaction processes.
In addition, the revised PCI maintains that there is no one-size-fits-all method or solution to apply the PCI guidelines to adhere to virtualized environment and that specific controls and polices will vary for each environment, depending on how virtualization is used and implemented.
While the new virtualization guidelines paint a clearer picture of compliance for relevent IT trends, security experts say that they also could potentially create more confusion stemming from an array of interpretations.
But some industry experts said the new virtualization guidelines will make PCI compliance easier for users migrating data to virtual or private cloud environments.
“The new guidelines solve -- as opposed to create -- challenges,” said PCI expert Anton Chuvakin. “Additional council guidance solves the challenges of implementing PCI DSS controls and also assessing and scoping PCI compliance in virtual, and to a small extent, cloud environments.”
One qualified security assessor (QSA) echoes that the the new guidelines clears up a lot of confusion for customers, who previously had to guess at what activities were within the scope of compliance in virtual and cloud environments.
“Up until this point, many QSAs were either relying on vendor-driven best practices or only reviewing virtual machine configuration or physical security associated with a cloud environment,” said Nick Puetz, director of PCI compliance for FishNet Security, a Kansas City, Mo.-based solution provider. “The new guidelines go a long way in helping establish what is in-scope and which high-level controls need to be in place.”
Virtualization Guidelines In PCI Opens Up Compliance Conversations Puetz said that one of the biggest challenges would be getting the word out to customers moving data to cloud or virtualized environments. As such, the new virtualization-specific additions in PCI could mean opportunities to open new conversations with virtualization and cloud customers about compliance.
“Many clients do not understand these guidelines, mostly because they are very new and clients have not had an opportunity to read and absorb the new content or talk to their QSA’s about the new content,” he said. “Having quarterly meetings with your QSA can go a long way in keeping lines of communication open so both sides stay up to date on any changes or new happenings.”
However, other experts maintain that the vaguely worded guidelines will almost certainly present new challenges for organizations as they apply their own interpretation to the rules.
For example, Loder pointed out that the new guidance affects not only a hypervisor but potentially all the other VMs running on that hypervisor when a VM is in scope for PCI.
“Depending on how this is interpreted, this could cause a significant expansion in the scope of the cardholder data environment in organizations,” Loder said.
Ruth Xovox, chief compliance officer for PCI QSA firm ExoIS, said that challenges regarding compliance in cloud and virtual environments will likely be compounded due to the fact that many organizations continuously fail to be PCI compliant in their physical environment.
“When you’re outsourcing, it’s difficult to know what being compliant means,” Xovox said. “If you’re not compliant in your own environment, the risk increases. Typically people are not doing a lot of things they should, leaving data unencrypted, not reviewing logs, etc. (Cloud environments) become more tricky because you have less control.”
If anything, experts say, the virtualization addendum to PCI simply emphasizes that users are still required to adhere to all the same principles of the data security standard, regardless of whether their data is stored on physical, virtual or cloud environments.
During a June 10 “PCI In The Cloud” panel in San Jose, Calif., sponsored by Rapid7 and ExoIS, Eduardo Perez, head of global payment system risk for Visa, advised users to eliminate or avoid storing cardholder data wherever possible, unless there’s a viable business need to do so.
“Do you need that cardholder data?” Perez said. “The takeaway is that if you can’t eliminate it, then truncate it.”
Experts also underscore that users going to either the public or private cloud should take steps to ensure their provider is PCI compliant, and be proactive about understanding how the provider conducts risk prioritization.
“Most clients are only as aware as the cloud company is,” Puetz said. “If a cloud company advertises their services as being compliant or secure, most clients are going to take their word for it, rather than investigating this claim independently. The best advice I can give to clients is ‘trust, but verify’ the claims of any cloud service provider.”