PCI Council Addresses Virtualization Use of Emerging Tech Poses Unique Risks for Payments Chain
The new virtualization guidance issued by the PCI Security Standards Council urges organizations to take a risk-based approach when dealing with virtualization methods, especially within cardholder data environments.

"We are recommending that organizations perform careful and thorough evaluations of those risks, carefully document those and make sure that they understand the risk," says Kurt Roemer, chief security strategist of virtualization provider Citrix Systems and head of the PCI Council's Virtualization Special Interest Group.

A key takeaway from the guidance is for organizations to consider virtualization components that meet PCI requirements. In order to prove those requirements have been met, organizations need to provide a comprehensive, consistent security baseline for secured virtual environments which reduce the effort of obtaining multiple security and compliance profiles.

The goal of the council's guidance is to aid institutions in developing an in-depth defense approach and identity preventative controls across all layers, both physical and logical.

Many new organizations are using virtual components as part of their networks. If these components are in place, "organizations better understand how these system components could be applicable to PCI DSS," Bob Russo, the council's general manager says in an interview with Roemer and BankInfoSecurity.com's Tracy Kitten [transcript below].

During this exclusive interview, Russo and Roemer discuss:

  • Virtualization and compliance with the PCI-DSS;
  • Differing classes of virtualization;
  • Why securing virtual environments cannot rely on a "one size fits all" approach.

Russo is the general manager of the PCI SSC. He has more than 25 years of high-tech business management, operations and security experience. In his role as general manager, Russo guides the PCI Council through its charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

Roemer is the is chief security strategist of Citrix Systems Inc., where he leads security, compliance and privacy strategy efforts and serves as a member of the Citrix CTO office. Roemer has more than 20 years of experience in the security, networking and Web services infrastructure, and has held previous positions with Micron Electronics, NetFRAME and Hewitt. Roemer has designed, implemented and assessed network, Web services and information security solutions and policies for Fortune 1000 and mid-size businesses as well as government organizations. Roemer is a Certified Information Systems Security Professional and holds a bachelor's degree in business administration from Lake Forest College.

Virtualization Guidance

TRACY KITTEN: The PCI Security Standards Council today publishes guidelines for how virtualization can and should apply with the PCI data security standard. The guidelines aim to provide guidance for merchants and others interested in understanding specific recommendations for the PCI Council on cloud computing. Bob, for the purpose of this newly issued guidance can you tell our audience a little bit about how the council defines virtualization?

BOB RUSSO: Many new organizations are using virtual components as part of their networks and this is really a cost effective way to increase their capabilities without having all the physical elements within the network. These can be anything from virtual machines to virtual appliances and applications, even virtual desktops. We needed to make sure that if these virtual components are in place, and part of them are in the cardholder data environment, these organizations better understand how these system components could be applicable to PCI DSS and the PCI assess requirements.

KITTEN: Now the PCI DSS virtualization guidelines information supplement aims to provide guidance about how the use of virtualization technology and cardholder data environments, along with various points of the payment chain, can be applied. Kurt, as chairman of the PCI Council's Virtualization Special Interest Group, what can you tell us about the guidance that stands out? Or put another way, what do you deem to be the most critical takeaways from the new guidance?

KURT ROEMER: The most critical takeaways are that virtualization is in widespread use and people are realizing the benefits today, which are tremendous benefits to any organization. But there are many associated risks, some that are new to virtualized environments, and we need to make sure that people entering into cardholder data environments with virtualization understand those risks first.

Secondly, when it comes to securing virtual systems, there is really no one size fits all. It's a risk-based approach to making sure you have the appropriate controls in place to meet PCI requirements and satisfy risks within the organization. And as part of that, we are recommending that organizations perform careful and thorough evaluations of those risks, carefully document those and make sure that they understand the risk of virtualization for the cardholder data environment before they implement.

Finally, whether in or out of scope, we need to make sure that everyone considers virtualization components that meet PCI requirements, that you can prove PCI requirements are met up-front by providing a comprehensive, consistent security baseline for secured virtual environments which reduce the effort of obtaining multiple security and compliance profiles.

Top Virtualization Risks

KITTEN: This is a question that I'd like to pose to both of you. Virtualization has many benefits but it also introduces some new and unique risks. Can you tell us what some of those risks are and why the council has taken an interest in clarifying those risks?

RUSSO: There are quite a number of unique risks that have to be considered when you're thinking about adopting virtualized technology, especially in a cardholder data environment. As an example, the hypervisor creates a new attack surface that really doesn't exist in the physical world. The variety of deployments and uses of this technology really demonstrate the need for diligence in evaluating the solutions you need to protect the client cardholder data. There's a real need for this information out there and the goal of delivering this guidance is to help the organizations develop, as Kurt mentioned before, an in-depth defense approach and identify preventative controls across all the layers, both physical and logical.

ROEMER: Some of the specific, unique risks really span the gamut of technology and business processes. We take a look at the adoption of cloud computing and people are just starting to get into utilizing computing as a service and what that means in terms of the risk profile. We take a look at multi-tenant environments where you share hosted environments and how the administration model, authorization model, data storage and transmission really need to be modified to meet the unique risk requirements within those environments. And we recognize the widespread adoption of mobility and the continued expansion and what that means within the payment card industry.

KITTEN: The new guidance also provides some pointers to help merchants assess risks when it comes to virtual environments. Can you provide some examples of the risks that merchants might be on the lookout for?

ROEMER: Those recommendations for guidance in the document really help these organizations to meet their security needs and have a good conversation with the assessors that are helping organizations to meet PCI requirements. Some of those best practices that we've identified in the paper include evaluating the risks of a virtualized environment, implementing appropriate physical access controls for host systems and securing access to those systems, isolating the security processes that could put the card data at risk and understanding which virtualized environment should be considered in scope for the purposes of PCI DSS compliance.

KITTEN: Now there are virtualization characteristics that are particularly relevant to certain PCI DSS control areas. Can you name some of those control areas?

ROEMER: When you take a look at it, all the applicable PCI DSS requirements must be evaluated for each individual environment. Each environment is going to present some different risks, objectives and technologies. Therefore each virtual implementation will need to be individually evaluated to determine the impact of the technology against PCI DSS requirements. For example, the use of virtualized networks will require emphasis on the protection of cardholder data in transit and the segregation of that traffic, whereas virtual storage area networks [SANs] may require additional attention to access control related to account numbers that may exist within storage.

Virtualization Special Interest Group

KITTEN: Bob, I'd like to go back to you for a moment. Today's findings included in the new guidelines were collected by the PCI Council's Virtualization Special Interest Group [SIG]. What can you tell us about this group such as when it was created and the role that it plays in helping the PCI Council better understand virtualization?

RUSSO: All of our SIGs do a really good job. This SIG has worked very diligently to get this out. That council really developed this thing to help clarify different elements within PCI DSS that might be considered challenging, or at least open to interpretation, for those in the payment chain seeking to secure their payment card data. Our board of advisers suggested the formation of the first SIGs. Based on market awareness, threat mitigation and the input of our participating organizations, so far SIGs working in junction with the council's technical working group have produced a bunch of additional guidance on wireless.

There was a wireless paper that was put out on the relationship, as well as PCI DSS, to EMV and they helped point out the encryption roadmap. Now we're doing virtualization. To date, more than 50 or 60 of these organizations have been involved in producing guidance that comes through the SIGs, including 33 organizations in a virtualization SIG. I can't thank Kurt enough and the other organizations involved in collaborating on this particular piece. This gets to the heart of what we're about at the council, bringing those from across the industry together to increase payment security.

KITTEN: The next question that I'm going to ask relates to some of the classes of virtualization that have specific distinctions, and either one of you can answer this question. For instance, a different class of virtualization affects operating systems than the type of class that might affect hardware platforms and/or networks. Can you explain why defining and determining these different classes or categories is so critical?

ROEMER: When you take a look at the classes and categories of virtualization, it's important to understand whether you're dealing with data center technologies, with client technologies or with networking technologies, and many of which are inner-related within virtualized environments. By splitting it off into those three primary areas, you can concentrate on areas that may be sourced, outsourced or hosted either directly or through a hosting provider out in the cloud environments, as well as the proliferation of mobile devices and endpoint virtualization that we're seeing considerably these days. In addition, the networks and virtualized networks are connecting the front-end and back-end in these environments. Considering all of those holistically, you can determine what applies in the PCI environment and how PCI DSS controls can be put in place to meet each specific PCI requirement.

KITTEN: Kurt, this is a question that I'd like for you to answer as well as Bob. The new guidance includes suggested controls and best practices for meeting PCI DSS requirements in the virtual environment. Can you tell us a little more about some of those controls as well as the best practices that the council is recommending?

ROEMER: The control areas are very similar to what we're seeing within physical environments for PCI. The control areas deal with the storage, transmission and use of data within PCI environments. Of course, virtualization introduces some new technology, as Bob had mentioned previously, hypervisors. There are other virtual components as well, and there continues to be innovation in this area where technologies that we would have considered as just being physical are now being virtualized. There are also some entirely new technologies that are just being introduced within virtual environments, and some of the virtual payment applications are a great example of that. It's important to note that even with advanced uses of virtualization, all PCI DSS requirements still apply and have to be proven. The information supplement provides guidance for how to take a look at these environments and ensure that you are considering the relevant aspects that are important to PCI.

Best Practices

KITTEN: Bob, would you like to add to that, about some of the best practices or specific controls?

RUSSO: The benefits of virtualization certainly can be great here, but a lot of the risk can be even greater. As Chris said, there are lots and lots of new things coming out and we're seeing them all the time. You really have to be cognizant of what these things are. I know merchants want to rush to get these things in because it makes their business easier to do. It makes them more profitable, in some cases, and makes the experience for their consumers much better. But you need to consider the standards when looking at these things, and that's specifically what this guidance will help you with.

KITTEN: That's a good point, Bob. And, Kurt, I'd like to go back to you for a moment. Specific recommendations for mixed mode and cloud computing environments also are provided in this new guidance. Can you tell us what mixed mode means?

ROEMER: Mixed mode is a key term and has some special applicability to cloud environments. Mixed mode refers to a virtualization configuration where both in-scope and out-of-scope virtual components are running on the same host hypervisor, and possibly other virtualized equipment, within the organization. This information supplement provides guidance on the use of mixed mode virtual environments where applicable. However, the applicability of mixed mode configurations and the acceptance of the associated risks are beyond the scope of the documents and must be considered in dealing with the rest of the payment chain. We recommend here that design goals and desired outcomes associated with mixed mode are discussed and approved by your QSA [qualified security assessor] in the design phase of any PCI-related virtualization project.

KITTEN: How does cloud computing differ from virtualization?

RUSSO: The term cloud computing refers to several different methods of using a virtualized architecture which enables multiple users to access a pool of commonly shared computing resources. In a public cloud, or even in a hybrid cloud environment, the host, the client or the merchant who is subscribing to that cloud typically has reduced visibility and limited control over the infrastructure that they're using and the services offered. Several of the same issues identified for protecting cardholder data within the virtual environment machine are also relevant to different cloud environments, such as the infrastructure in software as a service-type environment as well. The simple one-line answer to that is cloud computing often relies on virtualization to deliver computing as a service. When you take a look at cloud computing, it's really distributing computing into service components and being able to deliver individual services further providing virtualization within the environment. And cloud computing utilizes such important technologies such as server virtualization, storage virtualization, app and desktop virtualization. And within the cloud computing environment, we're seeing some real innovation from a service delivery perspective, as well as delivering advanced security. But it must be architected right in order to meet PCI requirements and the intent of the PCI framework upfront.

Top Five Virtualization Guidance Elements

KITTEN: Before we close, can you tell us what you deem to be the top five takeaways from the new guidance? To what should merchants and others along the payments chain pay special attention?

RUSSO: Just to give you an idea, this paper certainly helps with the payment card security programs that a merchant or a customer might have. And we created this because specifically they asked for it. There needs to be additional clarity specifically on this important technology, and with the key takeaways really there are two of them. There is no single method for securing virtualized environments. Organizations really have to thoroughly evaluate all of the risks and understand the impact of virtualized technologies in their own environment before they implement these things. We know that PCI DSS is your best baseline protection for cardholder data. It's been proven time and again. But ensuring that all virtualized components meet the DSS requirements, you also have to have best security baselines for your virtual environment.

KITTEN: Kurt, do you want to add anything to that?

ROEMER: As organizations are looking to leverage and embrace virtualization and cloud computing, the PCI Security Standards organization is providing a definitive set of guidance for looking at all of the key aspects of virtualization and cloud computing - from risk management and determination all the way through to auditing. As such, this is going to be a often-read document.

Around the Network