SourceFire Security Report
New PCI Guidance Upends Virtualization Status Quo
Sourcefire Security Report
Executive Summary
Securing Virtual Payment Systems, an Information Supplement authored and recently published by the Virtualization SIG of PCI’s Security Standards Council, provides clearer guidance for how to achieve and maintain PCI compliance in virtual environments. The new guidance is far reaching and significantly challenges the virtualization security status quo. Virtual system administrators and security analysts must start working together immediately to ensure they will be able to satisfy this new guidance.
Overview
On June 14, 2011, PCI Security Standards Council’s Virtualization Special Interest Group (SIG) published a long-awaited 39-page Information Supplement addressing the security of virtual systems processing cardholder data. The supplement establishes specific security guidance for virtualized cardholder data systems based on four significant principles:
1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and they must be assessed.
3. Implementations of virtual technologies can vary greatly, and the unique characteristics of each implementation must be identified and documented.
4. There is no one-size-fits-all method for ensuring the compliance of virtualized environments.
In the past, individual examiners had to make their own decisions as to how PCI requirements were applicable in virtual environments. The new guidance clarifies this applicability.
Given the typical structure of companies, the most significant challenge introduced by the new virtualization guidance is likely to be organizational. Many companies employ a “silo” approach to technology management and control. Server operations, for example, owns the servers; a storage group operates and
Sourcefire Security Report
Executive Summary
Securing Virtual Payment Systems, an Information Supplement authored and recently published by the Virtualization SIG of PCI’s Security Standards Council, provides clearer guidance for how to achieve and maintain PCI compliance in virtual environments. The new guidance is far reaching and significantly challenges the virtualization security status quo. Virtual system administrators and security analysts must start working together immediately to ensure they will be able to satisfy this new guidance.
Overview
On June 14, 2011, PCI Security Standards Council’s Virtualization Special Interest Group (SIG) published a long-awaited 39-page Information Supplement addressing the security of virtual systems processing cardholder data. The supplement establishes specific security guidance for virtualized cardholder data systems based on four significant principles:
1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and they must be assessed.
3. Implementations of virtual technologies can vary greatly, and the unique characteristics of each implementation must be identified and documented.
4. There is no one-size-fits-all method for ensuring the compliance of virtualized environments.
In the past, individual examiners had to make their own decisions as to how PCI requirements were applicable in virtual environments. The new guidance clarifies this applicability.
Given the typical structure of companies, the most significant challenge introduced by the new virtualization guidance is likely to be organizational. Many companies employ a “silo” approach to technology management and control. Server operations, for example, owns the servers; a storage group operates and