PCI Council Releases Virtualization Guidance

Today the PCI council released its PCI DSS VIRTUALIZATION GUIDELINES Information Supplement. This supplement does not add any new requirements to the standard but rather provides guidance on how to interpret the PCI DSS 2.0 standard in a virtual environment. It covers hypervisor, virtual machine, cloud computing, virtual networking and several other topics of interest. The supplement will tackle these areas:

 Explanation of the classes of virtualization including virtualized operating systems, hardware/platforms and networks
 Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each
 Practical methods and concepts for deployment of virtualization in payment card environments
 Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
 Specific recommendations for mixed-mode and cloud computing environments
 Guidance for understanding and assessing risk in virtual environments

Here is sure to be most impactful part of the guidance, mixed mode recommendations and public cloud recommendations:

It is strongly recommended (and a basic security principle) that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system.


In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.
These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.

Let me know your feedback based on the new guidance.
You can get the new guide here

Click to access Virtualization_InfoSupp_v2.pdf

The council will also be putting on a couple webinars that will go through this new guide in detail. Here is the info for that

To read this article in full, please click here

*** This is a Security Bloggers Network syndicated blog from Network World Cisco Security Expert authored by [email protected]. Read the original post at: