As Companies Approach the January 1, 2012 PCI DSS 2.0 Compliance Deadline, a New Information Supplement Provides Guidance on the Scoping, Controls Necessary and Testing Procedures for Virtual Environments.

This post was also written by Chris Cwalina, Dan Herbst and Amy Mushahwar.

On Tuesday, June 14, the PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI-DSS), released a comprehensive set of guidelines for PCI compliance in virtual card holder data environments. The Council’s 39-page guidance document (available at https://www.pcisecuritystandards.org/security_standards/documents.php) describes in detail how each of the 12 PCI security control objectives within logical environments should be applied in a virtual setting. The document – which was over two years in the making – provides clearer guidance regarding how organizations can deploy virtualized environments in a secure fashion.

As background, before virtualization technologies, the standard computing model was one computer to one operating system with that computer’s associated applications and resources. Virtualization technologies enable IT teams to combine or divide computing resources to unify many computing systems into one operating environment or to partition one server into several virtual machines. Virtualization technologies undergird important applications over a wide range of areas such as, virtual test environments, server consolidation, multiple operating system support, system migration, cloud computing and so on. Given the variety of virtualization flavors and applications, the Council in its guidance recognized there is “no one-size-fits-all method or solution to configure virtualized environments[.]”

Despite the complexity, the Council made clear that where virtualization is implemented; all components within the virtual environment must be identified and considered in scope for the PCI-DSS compliance review. The Council noted that the virtual environment requires establishment of a “defense-in-depth approach,” which includes physical controls, documented policies and procedures, and “training and educating personnel in the proper use of sensitive assets, the identification of potential security threats, and the appropriate action to be taken in the event of a breach.” Additional key standards articulated in the guidance include best practices in virtual machine platforms, in implementing mixed media and hypervisor technologies. The guidelines include requirements to “harden” hypervisor and virtual machine platforms with firewalls and other segmentation, multi-factor authentication requirements, audited logs, and other risk mitigating controls.

The Council noted particular risks to companies holding payment card data within cloud environments and using cloud vendors, who have recently had outages and breaches of their own. In doing so, the Council also recognized that varying degrees of cloud risk exist depending upon the type of cloud infrastructure selected — a public infrastructure, private infrastructure or hybrid of the two. Then, the Council articulated the typical cloud customer versus cloud service provider responsibilities in the most common types of cloud service (infrastructure as a service ‘IaaS’, platform as a service ‘PaaS’ and software as a service ‘SaaS’). In public cloud environments (particularly those utilizing the SaaS cloud type) the Council recognized that in light of the risks involved, it “may make it impossible for some cloud-based services to operate in a PCI-DSS compliant manner.” The Council recognized that “the burden for providing proof of PCI-DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.” Accordingly, companies using cloud-based services must perform due diligence in engaging and ensure proper protection in contracting with cloud service providers to ensure PCI-DSS compliance. Please see our recent Cloud Computing Due Diligence presentation to the CISO Executive Network  for more detail regarding the general cloud computing due diligence and contracting process.

Why does this matter?
Implementing the Guidance will be a significant technical and company organizational challenge. Entities often do not often have a full inventory of their in-house and outsourced virtual environments. And, even if they do have an inventory of virtualized environments, all within the company IT organization might not have vetted the virtual architecture. For example, the sever operations group might have setup the virtual environments, but network security group might not have vetted the security of virtual environment(s). And, the business units may not have an understanding of how much card holder data could be compromised should one virtual environment fail.

Going forward as your organization marches toward the PCI-DSS 2.0 compliance deadline, we recommend that your IT, security and business units move quickly to implement these standards in the five short months that we have left. It is critical that companies with card holder data in virtual environments: (1) inventory their virtual environments, (2) assess organizational communications roadblocks that could impair end-to-end PCI-DSS compliance, (3) determine if greater vendor warranties are necessary for outsourced solutions and (4) determine if more security products and tools are necessary internally to support the virtual environment. Once this framework is established, companies will need to memorialize the standards developed by revising its applicable policies and procedures, training programs, and controls.

Given that virtualized services are growing exponentially, this is a sector that the Council and the business community can no longer afford to ignore. With recent breaches of cloud and other virtualized environments, we see that the hacking community is no longer ignoring this segment either.