Security Experts:

Connect with us

Hi, what are you looking for?



PCI DSS v2.0 – What Your QSAs Will Be Looking For

PCI DSS v2.0 May Accelerate Adoption of Virtualization and Virtualized Data Center Security

PCI DSS v2.0 May Accelerate Adoption of Virtualization and Virtualized Data Center Security

This past October the PCI Security Standards Council (PCI SSC) released v2.0 of the Payment Card Industry Data Security Standard (PCI DSS), and by so doing may have accelerated the adoption of virtualization and virtualized data center security.

Virtual Servers PCI Compliant

This new version offers up a number of changes and clarifications but among the most noteworthy is the mention of virtualization and virtual machines (VMs) as the system component equivalents to servers in the physical network. For any organization that had been waiting for PCI DSS to put forward that a VM equals a server in order to proceed with a virtualization project, the light is now green. But the more difficult task of creating a PCI-DSS v2.0-compliant virtual data center lies ahead.

As is typical, the language in the standard is not prescriptive but does outline the requirements for network protection to ensure the safeguarding of cardholder data at rest and in motion. Qualified Security Assessors (QSAs) who typically help large organizations in the creation of a Record of Compliance (RoC) must educate themselves on virtualization as well as virtualization-specific security regimens and technologies in order to help their clients pass an audit. In theory, the basic goals of network architecture for PCI-compliance remain the same for the virtualized network designer. Specifically an organization needs to:

– Build and maintain a secure network

– Maintain a vulnerability management program

– Regularly monitor and test networks

– Maintain an information security policy

But the virtualized data center does create some unique challenges for PCI compliance. While this list isn’t all-inclusive here are the most prominent ones:

1. Lack of visibility – firewalls, IPSes and other types of network security aren’t in the traffic path of packets flowing between VMs so monitoring and testing the virtual network requires specialized technology

2. Separation of duties in a network without physical boundaries – in the virtualized network servers and networks are grouped logically not necessarily physically (i.e. the singular group PCI servers might consist of VMs that are physically residing in different data centers). In order to enforce separation of duties the access policies have to be tied to logical groupings not physical ones

3. Live migration – VMs unlike physical servers can move from one physical location to another in search of a host that can provide more memory, computing resources etc. This means that a VM may traverse zones of trust moving to areas where the security policy is not as restrictive as it should be for an in-scope PCI server

4. Single function to a server or VM – if a VM equals a server then for the purposes of PCI DSS section 2.2.1 compliance, it must be isolated as a physical server is so that unwarranted applications and services cannot be installed on that server

In order to help you create a PCI audit-worthy virtualized data center, your QSA will need to understand your existing and planned architecture in order to ensure that the virtualization of in-scope workloads does not negatively impact your audit results. They will be looking for ways to ensure that items 1 through 4 above are not areas of risk in your environment and provide you with guidance on how to mitigate them if they are. If you want to expedite their efforts and minimize the amount or retrofitting or re-architecting required in your virtualized environment then you’ll want to ensure that the following criteria are met:

1. Ensure you have the means to visualize and report on all inter-VM and intra-VM traffic

2. Logically isolate any individual VMs or VM groups by a security policy that limits access and restricts their function to a single application

3. Place a mechanism to inspect traffic allowed to in-scope VMs with facilities of alerting and reporting if vulnerabilities or malware are detected

4. Automatically enforce a compliance policy for in-scope VMs

5. Automatically quarantine in-scope VMs whose security posture changes to non-compliance

6. Segregate virtual network, system and security function administration in the virtualized data center by individuals and their role in the organization

7. Define and enforce security policy governing access to in-scope PCI servers and VMs consistently and as part of a singular process

The items offered here are not an exhaustive list but if you can answer yes to all seven then you have already saved yourself significant time and money in the creation of a PCI compliance virtualized environment.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...