The PCI Security Standards Council (PCI SSC), an industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), has announced the findings of the Councilโs Virtualization Special Interest Group. The PCI DSS Virtualization Guidelines Information Supplement provides guidance to those in the payment chain on the use of virtualisation technology with cardholder data, in accordance with PCI DSS.
The US-based council developed Special Interest Groups (SIGs) to help clarify elements of the PCI DSS that might be considered challenging, or open to interpretation for retailers or others seeking to secure cardholder data. The use of virtualisation technology has been a chief area of interest for organisations considering its implementation in their cardholder data environments and assessors who evaluate virtualised environments as part of a PCI DSS assessment. While it provides many benefits, virtualisation also introduces new and unique risks that must be considered carefully prior to deployment, the council adds.
A product of months of efforts led by Virtualization SIG Chair Kurt Roemer, Chief Security Strategist, Citrix Systems, Inc, and more than 30 participating organisations with the PCI Council, the information supplement helps merchants, service providers, processors and vendors understand how PCI DSS applies to virtual environments including:
– Explanation of the classes of virtualisation often seen in payment environments including virtualised operating systems, hardware/platforms and networks
– Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each
– Practical methods and concepts for deployment of virtualisation in payment card environments
– Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
– recommendations for mixed-mode and cloud computing environments
– Guidance for understanding and assessing risk in virtual environments
The supplement also includes an appendix that provides examples of virtualisation implications for specific PCI DSS requirements and suggested best practices.
โThis information supplement provides a more detailed view into the definitions and boundaries where PCI intersects with virtualisation,โ said SIG Chair Kurt Roemer. โNow merchants can identify the range of questions to ask their providers and then determine the risk mitigation options available.โ
The Special Interest Groupโs findings highlight that there is no single method for securing virtualised systems. Virtual technologies have many applications and uses, and the security controls appropriate for one implementation may not be suitable for another. Using this resource, organisations can better understand and evaluate their own environments to identify the unique risks virtualisation brings to the security of their cardholder data environment, and can plan deployments accordingly.
โVirtualisation and cloud computing in relation to PCI have been topics of great interest among our stakeholders,โ said Bob Russo, general manager, PCI Security Standards Council. โI want to recognise the Virtualisation SIG and the tremendous amount of effort and collaboration that went into creating this guidance. It points to the critical importance of participation from the PCI community in helping us provide resources that help meet our stake-holdersโ expectations of securing cardholder data.โ
The council will host a webinar to highlight the key findings from the information supplement and how you can best use this resource: on Tuesday, June 28 and Thursday, June 30. To learn more about playing a part in securing payment card data globally visit:
