Meeting PCI DSS requirements in a virtual environment

PCI DSS requirements don't address virtualized environments, but if there's a data breach, you're responsible. To avoid hefty fines, secure your hosts, VMs, storage and networking.

If your business accepts credit cards, it's probably subject to Payment Card Industry Data Security Standards (PCI DSS). These information security guidelines ensure that cardholder data is protected.

The PCI DSS requirements do not cover virtualization, and it's a gaping security oversight. In the future, however, the PCI Security Standards Council will likely adopt rules for handling credit card information in virtual infrastructures.

PCI DSS merchant levels

PCI DSS requirements vary among organizations, depending on their annual volume of credit card transactions. The strictest guidelines are placed on Level 1 merchants, and the most lenient requirements are for Level 4 merchants, as defined below:


  • Level 1: more than 6 million annual transactions (all channels)
  • Level 2: 1 million to 6 million annual transactions (all channels)
  • Level 3: 20,000 to 1 million annual transactions (e-commerce only)
  • Level 4: less than 20,000 annual transactions (e-commerce only)

 But you shouldn't wait for this mandate to harden sensitive data in your virtual infrastructure. This tip provides an overview of the PCI DSS requirements and audit process, as well as the steps you can take to protect credit card information.

Enforcing PCI DSS requirements
The PCI standards address network security, access controls, encryption, password policies and physical security. Companies must follow these requirements, and a failure to do so results in hefty fines.

Different requirements and enforcement methods apply to different businesses, depending on the volume of credit card transactions that these companies process. To ensure that the busiest merchants adhere to the strictest PCI DSS requirements, for example, qualified security assessors perform annual on-site audits.

The enforcement of PCI DSS requirements is largely open to auditor interpretation. Generally, the auditor provides more leeway to systems that are not directly involved in the transmission or storage of cardholder data.

Addressing PCI DSS requirements in a virtual infrastructure
The PCI DSS requirements focus on individual servers and mostly ignore host servers, which is like locking doors in your house but leaving the front door wide open. If a host has inadequate security, a virtual machine (VM) can be easily compromised -- regardless of VM security.

Although no official PCI DSS requirements exist for virtual infrastructures, there are several other security best practices for virtual hosts and guests:

You should also protect shared storage devices and the host's virtual networking. These safeguards are especially important for iSCSI, Network File System and Fibre Channel storage. A particular best practice is to isolate storage traffic on a private network using security protocols, such as the Challenge-Handshake Authentication Protocol for iSCSI.

With virtual networking, consider deploying security applications that are designed for virtual environments. Such products include VMware vShield Zones and third-party applications from Catbird Networks, Reflex Systems and Altor Networks. These applications provide intrusion prevention systems, intrusion detection systems and virtual firewalls for VM network traffic on a host. Using a virtual firewall is especially important, because the PCI standards specifically require firewalls to isolate and protect servers that handle cardholder data. Additionally, physical firewalls cannot always protect VM network traffic that does not leave the host.

Remember that PCI audits are dictated by where the cardholder data is transmitted and stored. The more you isolate cardholder data, the easier it will be to pass your audits.

When the PCI DSS requirements eventually cover virtualization, if you have a VM that handles credit card information on a host, the entire host will be subject to audit. And live-migration technologies that move VMs around an environment will further increase the scope of the audit. Plan accordingly to reduce the number of virtual hosts that will be audited. Creating smaller host clusters for VMs that handle only cardholder data can ease this burden.

When will PCI DSS requirements cover virtualization?
To be fair to the PCI council, the lifecycle to update standards takes two years. In October 2008, when the current 1.2 specification was released, data centers hadn't adopted virtualization widely. The council likely needed more time to study virtualization's effects before creating safeguards.

But don't expect virtualization requirements in version 2.0 either. Bob Russo, the general manager of the PCI council, has said the council will consider virtualization as part of the future of PCI DSS requirements, but not until later in 2010. And to make matters worse, the lifecycle for updating PCI standards will increase from two to three years -- further delaying scrutiny of virtual infrastructure.

About the author

Eric Siebert

 Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains vSphere-land.com, a VMware information site.

Dig Deeper on Server virtualization compliance and governance