Version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) has clarified that server virtualization technology can be used in PCI-regulated environments. But users say that the standard still features some gray areas.
PCI DSS emphasizes the separation of credit card data and the equipment that processes such data from the rest of a data center's infrastructure. Prior to version 2.0, it was unclear whether virtual servers were adequately separate under PCI. This question was left to the discretion of auditors. Some tech-savvy auditors allowed virtualized servers under PCI; others mandated a separate, physical infrastructure.
Under PCI DSS, compliant virtualization is still more art than science.
While PCI DSS 2.0 goes into effect in 2011, it won't be the exclusive standard for payment card data until 2012. Until then, there will be a transition period to accommodate audits that began prior to the 2.0 ratification and to get auditors up to speed on virtualization technology. It's safe to assume that guidance from VirtSIG, the PCI Security Standards Council special interest group on virtualization, will appear sometime between now and the end of 2010.
But some organizations want additional information before they make any decisions about PCI and virtualization. Tim Connors, AT&T's director of cloud service, said he'd like to see more guidance on how to reconcile virtual servers that share the same hypervisor with another DSS requirement that the components of a PCI application -- Web, application and database servers -- be separated. Other users say understanding whether trunking network interfaces at the physical host level violates separation requirements under PCI.
Users forge ahead with PCI virtualization
Some organizations had already consolidated "in scope" servers into their virtual infrastructure using newer virtual security tools from VMware Inc. The London Borough of Hillingdon in the U.K., for example, already manages 200 VMs -- some that are 'in scope' under PCI, and some that are not -- on the same nine-node ESX cluster.
The borough's head of IT, Roger Bearpark, said that prior to DSS 2.0, a five-node physical server infrastructure was divided into one two-node and one three-node cluster to segment sensitive data from the rest of the infrastructure. But Bearpark said it's important that his organization consolidates servers and storage as much as possible to maintain manageability and flexibility among two active data center sites, and thus, with the advent of PCI DSS 2.0, the infrastructure was further consolidated. "With a single cluster, if we lose two of the physical machines, we could redefine the remaining machines pretty easily and be back up and running quickly," he said.
The civic authority also uses VMware's vShield Edge and vShield App to segment PCI data onto separate virtual networks and to confine PCI-compliant VMs to certain hardened physical hosts within the cluster. Bearpark said this configuration passed muster with his auditor.
[Auditors] like to document what they can physically see
Your audit will still vary
With compliant virtualization still more of an art than a science under PCI, infrastructure engineer Wes Baker, who works for a retail organization, said the keys are to choose an auditor wisely and then to document, document, document. "It all comes down to the interpretation of the person doing the auditing and what their knowledge is," he said. "It's extremely important to maintain documentation and diagrams of your physical infrastructure, logical virtual infrastructure, firewall configurations and firewall rules."
Baker said that some users are tempted to harden their entire infrastructure for PCI, rather than worry about which virtual hosts reside on which physical servers; he argues this is counterproductive. "If you harden your whole environment according to PCI standards, you have no flexibility, and in a large environment it would take a team of people working full time just to maintain it. If you plan out your environment, you can just concentrate on the most sensitive data."
Bearpark admits, "A lot of the work [on PCI] that we've done till now has been educating auditors about what virtualization really means. They like to document what they can physically see. Initially, a lot of them were unprepared to evaluate virtualization."
That work is not done. Virtualization in general is now recognized by the standard, but technology marches on, Bearpark noted. IT organizations have moved beyond virtualization and consolidation to automation and cloudlike, if not full-blown, cloud environments. And tools like vShield Edge and App are still new to the IT market, let alone to security auditors. "If you tell [auditors] that the data could be here or at a secondary site, some of them kind of glaze over," Bearpark said.
Meanwhile, security experts say users need to be reminded that PCI compliance does not guarantee that payment-card data is secure. "Compliance is not security," said Edward Haletky, CEO and a virtualization security, SMB and cloud analyst for the Virtualization Practice. "Compliance is about knowing who did what when and how. It doesn't necessarily mean you're secure, it means you're auditing your environment to meet compliance."
Beth Pariseau is a senior news writer for SearchServerVirtualization.com. Write to her at firstname.lastname@example.org.