Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

PCI Security Standards Council Provides Further Guidance on Virtualization and the Cloud

The wait is over. New guidance on virtualization from the PCI Council is here.

The wait is over. New guidance on virtualization from the PCI Council is here.

Guidance on Virtualization and the CloudTo help clear up some of the confusion around compliance in virtualized environments, the Council’s virtualization special interest group recently published a supplemental guide on the use of virtualization in accordance with the PCI DSS v2.0. Four basic principles stand:

1. PCI DSS security requirements apply to cardholder data, even if stored in virtualized environments.

2. Organizations have to assess the new risks associated with using virtualization technology.

3. The council wants to see detailed knowledge of each relevant virtualized environment, including all interactions with payment transaction processes and payment card data.

4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements and, therefore, specific controls and procedures will vary by environment.

The Council goes on to explain the classes of virtualization often seen in payment environments, including virtualized operating systems, hardware/platforms, and networks. It defines the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each and provides practical methods and concepts for deployment of virtualization in payment card environments. Additionally, the council suggests controls and best practices for meeting PCI DSS requirements in virtual environments, making specific recommendations for mixed-mode and cloud computing environments, as well as offering guidance for understanding and assessing the risks associated with virtual environments.

No One-Size-Fits-All Solution, but . . .

Advertisement. Scroll to continue reading.

While the new guidance does remain as technology-agnostic as possible, cautioning that there is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements, it does call out the need for virtual firewalls to provide segmentation between different workloads, as well as the need for specialized intrusion detection and intrusion prevention tools to monitor traffic in virtual environments. Additionally, it recommends that companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties in network/host controls and, even, prohibits the use of agent-based firewalls.

Further, the document makes some recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. Specifically, it states: “The level of segmentation required for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world; that is, segmentation must ensure that out-of-scope workloads or components cannot be used to access an in-scope component.”

So What about Cloud Computing Environments?

So what if you’re a business readying to deploy a private cloud, where you’ll be storing cardholder data? Or what if you’re thinking of a move to a public cloud? What can you take from the new guidance?

If a public cloud is what you are looking for, the obvious is that you’ll need to fully understand what services a cloud provider is offering and conduct the due diligence necessary to identify any potential risks with such a service. Service providers are obligated to clearly identify which PCI DSS requirements, system components, and services are covered by their PCI DSS compliance program. And moreover, they must provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.

 Read Johnnie’s Other Columns on Virtualization and Cloud Security Here

But back to you, if you choose to have your PCI workloads hosted on multi-tenant public cloud infrastructures, it’s still your ultimate responsibility to ensure that your chosen provider has all preventative measures and adequate controls in place for protecting your data. And it’s really important to realize that, because of all the challenges, not all cloud providers will be able to offer up guarantees of operating in a PCI-compliant manner. They may, however, be able to offer you an SLA for security and PCI compliance depending on what PCI enforcement and reporting mechanisms your provider has put in place.

In a private cloud, you have, of course, greater control, not to mention full responsibility for PCI compliance. You can separate your PCI workloads using physical network technologies or virtualization-specific ones. But one thing the new guidance does make crystal clear—no matter if you go the private or public route—is that security best not be an afterthought. If security comes first, so many other things follow, including passing those PCI audits time and time again.

Cloud Security Reading: The Big Shift to Cloud-based Security

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...