The guidance is designed to “tell you what you need to know prior to trying to deploy something in a virtualized environment”, explained Bob Russo, general manager of the PCI Security Standards Council. “This paper describes well what the risks and rewards are in these virtualized environments”, he added.
The guidance provides insight into the following areas: explanation of the classes of virtualization seen in payment environments, including virtualized operating systems, hardware/platforms and networks; definition of the system components that constitute virtual systems and high-level PCI DSS scoping guidance for each; methods and concepts for deployment of virtualization in payment card environments; controls and best practices for meeting PCI DSS requirements in virtual environments; recommendations for mixed-mode and cloud computing environments; and guidance for understanding and assessing risk in virtual environments.
Kurt Roemer, chief security strategist at Citrix Systems and chair of the council’s Virtualization Special Interest Group (SIG), said that the group looked at not only existing virtualization deployment but also the impact of virtualization innovation on PCI DSS compliance.
“We considered where virtualization [posed] unique risks or required unique security aspects from technology through to auditing and made sure that these aspects were highlighted in the paper. There are no additional requirements for PCI, but it provides additional clarification on the guidance and questions you would ask as you sit down with the architectures that are designing virtualization environments, the auditors that are assessing virtualization environments, or the businesses who need to understand whether virtualization is giving them a competitive edge and enhancing their security as opposed to detracting from it”, Roemer told Infosecurity.
The SIG found that there is no single method for securing virtualized systems. Virtual technologies have many applications and uses, and the security controls appropriate for one implementation may not be suitable for another.
Roemer explained the group examined everything from server virtualization and computing to application and desktop-based virtualization, including mobility and cloud-computing.
Hypervisors, in particular, pose a security risk in the virtualized environment. “Because of that, you have to consider whether a hypervisor is net additive and what needs to be done to harden the hypervisor to ensure that you have the right management and administrative controls and processes in place, especially in multi-tenant environments”, Roemer explained.
Russo added that virtualization enables segmentation of different areas, such as desktops and applications. Specific security rules can then be applied to the segmented areas, which improves security overall.
The guidance also includes an appendix that provides examples of virtualization implications for specific PCI DSS requirements and suggested best practices for addressing them.