PCI and virtualization: Enabling VMs with PCI compliance services

The new PCI DSS security standard allows merchants to run a virtualized environment and still be compliant. David Jacobs explains they will need your help with tools and processes.

Operators of PCI DSS-certified installations who have hesitated to take advantage of virtualization are now free to do so. The updated PCI DSS requirements, issued on Oct. 28, 2010, as Payment Card Industry Data Security Standard 2.0, make it clear that a virtual environment can be certified as PCI DSS-compliant.

Simply moving functions to VMs is not sufficient. System and network management tools must be upgraded or replaced with tools designed to support virtualized environments.


David Jacobs,

This presents new business opportunities for channel partners. Customers moving to a virtualized PCI DSS-compliant environment will need to select and purchase security and management tools that support virtualization. For channel partners, that means helping customers redesign their facilities, select and deploy new tools, and provide ongoing assistance as the PCI Security Standards Council issues additional guidance in response to new threat types.

In this tip, we'll discuss what language in the PCI DSS regarding virtualization has changed, how a PCI DSS-compliant virtual environment should be configured and managed, and what opportunities exist for security solution providers offering PCI compliance services.

PCI and virtualization: Then and now
The previous standard -- PCI DSS version 1.2, released October, 2008 -- appeared to rule out PCI DSS certification in a virtualized environment in Requirement 2.2.1 by stating, "…verify that only one primary function is implemented per server." This wording led to different interpretations. Some Qualified Security Assessors (QSAs) interpreted the statement strictly and did not certify virtualized environments. Others interpreted the standard to mean only environments with just one function per virtual machine (VM) could be certified.

However, PCI DSS 2.0 explicitly permits businesses to take advantage of the benefits of virtualization while continuing to meet PCI DSS requirements. Consider the text from the 2.0 Standard:

  • "Where virtualization technologies are in use, implement only one primary function per virtual system component."
  • "System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors."

PCI and virtualization: Additional details
Specific items must be included in the certification process, according to Navigating PCI DSS 2.0, Understanding the Intent of the Requirements, a document that accompanies the new standard. While more guidance documents are expected in 2011, the specific key requirements currently include:

  1. All elements within a virtualized environment must be identified and documented, including servers, applications and management facilities.
  2. All data flows between components must be identified and documented.
  3. System administrator roles must be documented. Each administrator must be granted only the privileges required for the set of assigned tasks.
  4. There must be clear segmentation of functions not requiring the same level of security, with production and test environments strictly separated.
  5. Operators are cautioned to consider the possibility of a breach of the hypervisor when determining which functions can reside on the same server.

PCI and virtualization: Environments require new tools and processes
Simply moving functions to virtual machines (VMs) is not sufficient to provide PCI compliance services. System and network management tools for each security and management function must be upgraded or replaced with tools designed to support virtualized environments. Products specifically designed for virtualized environments are available from companies such as Altor Networks, Catbird, and Reflex Systems.

Tool selection is critical. Virtual systems are complex. The added complexity of PCI DSS and the consequences of leaving an attack avenue open for a malicious hacker means that customers will need guidance from channel partners.

Among the specific VM requirements are:

  • Supplementing each type of protection surrounding a physical server with virtual protection components: Each VM must be isolated and protected from other VMs executing in the same server as well as from external attack. Virtual firewalls and intrusion protection software must be placed on the virtual network internal to each server.
  • Adding a protection product for the hypervisor: The hypervisor in each server adds an additional target for attack. A security breach in the hypervisor opens each VM running under its control to attack.
  • Updating management software: Change and configuration management, inventory management, performance monitoring and management, vulnerability and incident management and audit tools must be upgraded or replaced with tools designed for virtualized environments. Tool automation becomes a requirement due to the increased complexity that virtualization adds.
  • Implementing network monitoring tools that provide visibility into traffic across virtual as well as physical networks: Tools must be able to track VLAN assignments and locations as VMs move between servers and must ensure card data travels only over secure physical links.

PCI and virtualization: Segregating card data
The design of the virtualized environment requires careful thought. Here, a channel partner experienced with PCI DSS and virtualization can provide valuable assistance with their PCI compliance services.

A specific set of servers must be defined as a cardholder data environment (CDE). All software functions that maintain, process or transfer card data must be confined to this portion of the network. The servers must be located in a secure environment and network links among them must not extend into non-secure areas. Applications that do not deal with card data should not be permitted to execute within the CDE.

Operator access rights must be carefully allocated to provide administrators only the rights required by their jobs. Access to card processing and data must be strictly limited to staff members who are thoroughly aware of card data security requirements. Available products from the vendors mentioned above provide the necessary controls. They enable operators to define zones to limit the movement of VMs. They also support detailed allocation of operator rights.

With the growth of virtualization, a number of vendors have upgraded their existing products or developed new ones to support virtualization. But as always, products vary, and each customer must select the options best suited to their needs. Channel partners can help guide this selection by lending their expertise in PCI DSS and virtualization.

In addition to initial tool selection and deployment, channel partners can provide valuable ongoing PCI compliance services and assistance to their customers. Partners should keep up to date on additional requirements and suggestions from the PCI Security Standards Council. They should schedule periodic reviews to ensure no changes have been made that violate the standard and review adherence to management policies to make sure administrators have continued to follow the policies put in place when virtualization was first introduced.

About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.

Dig Deeper on Managed network security services