This morning the Payment Card Industry (PCI) Security Standards Council, which creates standards with which anyone handling credit card data must comply, released the second version of its Data Security Standard (PCI DSS 2.0).
One of the most important aspects of this new standard for virtualization pros is how specifically the PCI DSS requirements will address server virtualization. Previous versions of the standard have specified that payment card information must be kept separate from general corporate data–but what exactly does “separate” mean?
More importantly, in a converged virtual environment, are virtual security measures like VMware’s VM Safe and vShield products enough to pass muster as separating PCI infrastructure from the rest of the network? Until detailed guidance on server virtualization is made an official part of the standard, it remains up to the auditor — and auditors’ attitudes toward and knowledge of how virtualization works vary widely.
As far as the general standard goes, the following information has been made available publicly by the PCI Security Council in a note to press this morning:
- Virtual technologies have been incorporated into the DSS definition of system components, and also into requirement 2.2.1, which was updated to illustrate how the intent of “one primary function per server” could be applied to a virtual server environment. (Ed. note: Documentation on this will be available on the PCI Council’s website at noon ET today.)
- If you’re working in a virtual environment, there are considerations that people must look into. The standards are all based on system components, so the technical implementation of the specific virtualized environment will determine what needs to be reviewed.
- The new standard aligns physical with virtual: when we say system component, when you have virtualization environment, that language was previously open for interpretation. Now it encompasses virtual environments.
- Future detailed guidance will come from the Virtualization SIG
So, huzzah, virtual servers are now officially “in scope” for PCI. I understand this to mean that the most persnickety auditors will no longer be allowed to just declare any kind of virtualization anaethema for PCI compliance. But that last bullet point is the really important part for anyone trying to actually run a compliant virtualization environment, and, of course, that’s where things get pretty loosey-goosey.
A PCI virtualization special interest group (VirtSIG) created a draft document offering a reference architecture for PCI-compliant virtualization last October, which has been relied upon by some auditors as a guide to evaluating virtualized infrastructure. Another version of this document – which, based on information available at this point, could conceivably remain a non-binding draft, or become officially ratified and part of the standard — is slated to be released…later.
There are indications VMware and some partners will put out a whitepaper with a reference architecture for PCI and virtualization next month, but that whitepaper is not tantamount to the official PCI SIG’s guidance, just the vendors’ interpretations. Sources say last October’s document is the latest draft that’s widely available, but that major changes have been made to more recent versions.
So, to summarize: we now know virtual machines are not inherently contradictory to the idea of separate infrastructure for PCI compliance. But what about VLANs? Virtual switches? Virtual firewalls? And what are the reference configurations for all of the above?
For that, the virtualization market still has to wait.