PCI virtualisation: With new guidelines, compliance may be harder

New guidelines on virtualisation issued by the PCI SSC show PCI compliance is possible within a virtualised environment, but may not be feasible.

Long-awaited guidelines on how to process payment card data in a virtualised environment have been published by the Payment Card Industry Security Standards Council (PCI SSC), but for large, distributed IT organizations, the guidance may present new challenges.

Adequate resource separation between tenants may not be achievable in a virtual shared hosting environment or a public cloud environment.

PCI DSS virtualisation guidance

The PCI virtualisation guidelines, downloadable in PDF format from the Council's website, supplement the Payment Card Industry Data Security Standard (PCI DSS) with clear advice on how organisations can take advantage of virtualisation while staying in compliance with PCI DSS. The guidance paper has been produced by a PCI special interest group consisting of more than 30 companies, including merchants, vendors and Qualified Security Assessors (QSAs).

The most revealing aspect of the paper is that PCI DSS compliance is possible within a virtual environment, something many PCI experts have questioned, and that, in some ways, virtualisation could make security easier to manage, such as with virtualised desktops where applications and data are kept in a central server.

“It’s been a lot of work over a long period. This is a technical area that has specific security implications, so we have used the expertise of our participating organisations,” said Jeremy King, European director of the PCI SSC. “They have produced an excellent document that offers guidance but does not make changes to the standard. It will help organisations analyse how they are using virtualisation.” 

The project was chaired by Kurt Roemer, chief security strategist at Fort Lauderdale, Fla.-based Citrix Systems Inc., who said the aim is to help companies streamline their efforts when adopting virtualisation, and to underline where new dangers may occur.

“We recognise that hypervisors add to the attack surface, and companies will need to make sure there are compensations for that,” Roemer said. “They need to make sure that hypervisors are locked down and they don’t have VM-to-VM communication. They also need to provide additional measures from a process perspective, and ensure  administrative controls are properly enforced, especially in multi-tenanted environments.”

The paper does not focus on any one facet of virtualisation, but rather provides detailed advice on what aspects of the technology need to be considered, and how controls and processes may need to change, especially in order to protect the hypervisor from attack.

It also outlines the main security implications of virtualisation, and maps them against the 12 main requirements of the PCI DSS, indicating what actions should constitute best practice for each of the requirements.

The paper was welcomed by Etienne Greeff, professional services director at Kent-based consultancy SecureData Europe, who said the guidelines will help to clear up some uncertainty about virtualisation and whether it is acceptable when payment card data is being stored and processed.

But Greeff warned many organisations will have to restructure their teams to achieve the segregation of duties recommended by the standard: The guidance states monitoring and enforcement of appropriate separation of duties is crucial in a virtual environment. For many organisations, this would mean splitting responsibility for the virtualised infrastructure between the security and server administration teams.

“In most organisations, the virtualisation team is responsible for securing and administering the environment. The guidance is quite clear that [those duties have] to be separated. That will cause a fundamental change for many organisations,” he said.

Greeff added that an enterprise security team should ideally have the capability to monitor what VMs are running and put controls in place at the hypervisor level between VMs to prevent the mixing of VMs with different trust levels.

While this may be a challenge for some organisations, Mathieu Gorge, CEO of Dublin-based consultancy VigiTrust, believes most companies working on PCI DSS compliance will have already considered the issue.

“Separation of duties is nothing new when PCI DSS compliance is applied to virtualisation,” Gorge said. “The complexity, however, of the separation of duties is greater, though. Therefore, much more thought is required when defining these duties. In particular, permissions in relation to the hypervisor are key.”

The guidance paper stresses that VMs handling payment data should not share servers with other VMs handling less sensitive information, but Greeff said this might be hard to manage. “In the real world, it is so easy to spin up another VM, and your typical server administrator won’t know what the trust levels of different servers are. On what basis will he determine that? The [administrator is] not going to do a high-level risk assessment,” he said.

The new guidance paper also deals with virtualised systems used in a variety of cloud computing models, but seems to imply that, currently, the risks might be too high. “Adequate resource separation between tenants may not be achievable in a virtual shared hosting environment or a public cloud environment,” it concedes.

But that could be changing, according to Ken Owens, VP of security and virtualization technologies at hosting services company Savvis Inc.. He said the technology is now available to provide customers with secure environments in the cloud, even when they are sharing infrastructure with other tenants. However, he conceded that it might be a while before customers feel comfortable storing sensitive data in the cloud.

“Some customers are using the cloud to provide extra processing power for PCI applications, but they are not storing cardholder data there,” Owens said, since QSAs frown on the practice. “The customers are conservative and tend to follow what their auditors say.”

Read more on Application security and coding requirements