PCI Compliance and Server Virtualization

While cruising through the feed-reader, I came upon Eric Sieberts recent post regarding the release of the Payment Card Industry’s Data Security Standard (PCI-DSS), version 1.2. Eric notes that “… the specification dictates what must be done to secure a server that may store or process cardholder data, but if that server happened to be a virtual guest the host server would not be considered in the scope of the specification.” He then wonders (out loud) what could be the cause for this lack of attention (see quote below).

This post reminded me of a conversation I had in August with Scott Loftesness of Glenbrook Partners, who arguably knows more about technology and the payment card industry than any five persons on the face of the planet. He pointed me to this article as to why failure of PCI DSS 1.2 to address virtualization won’t matter. The author, David Taylor, is certainly no slacker. He’s the VP Data Security Strategies at Protegrity , as well as the founder of the PCI Knowledge Base, Research Director of the PCI Alliance, and a former E-Commerce & Security analyst with Gartner. He takes a pragmatic approach, urging the reader to not wait for standards, and is pretty clear that he’s a believer in the value of virtualization. But there still seems to be some “buck passing.” He seems to be saying to the merchants who are subject to the PCI DSS standards:

• You need to prove to prove to an assessor that virtualization is secure enough to pass PCI audits.
• You need to cost-justify the amount of money required to do so.
• You need to push on your application software vendors to warrant the security and functionality of their products in virtualized environments … something they, apparently, are often unwilling to do.

To the first point, it seems to me that best practices, standards and compliance tools or other means by which assessors can address the issue with uniformity are necessary. There are a number of security specifications for virtual hosts (one of which Eric Siebert references in his post), which, if adopted, would be a reasonably objective basis for the standards and best practices.

With these standards in place, there seems little reason why the application vendors could not address the issues of security with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves.

This same tale is going to be told multiple times. It’s not just about PCI, but also will impact a standards and regulations like Sarbanes-Oxley, as well as (here it comes) the standards for data security and processing security in SaaS and IaaS environments … Yes, I mean “cloud computing.” The PCI industry has a chance to do this right up front, without the buck passing. I think I’m with Eric on this one.

Update:

Seems that while I was heads-down with a product launch, I missed Christofer Hoff’s post on PCI, virtualization and clouds .

Just to be clear — I agree with most of the points that David Taylor has made, but to follow along with this reference to the OSI standards vs the TCP/IP development of standards … what we’re missing today is the moral equivalent of the TCP/IP definitions of best practice and standard. If the PCI DSS folks won’t step up to it, let’s figure out who will.

And, in another interesting addition to the conversation, VMware has joined PCI. We’ll now see whether (and how) they can improve the situation.

VMware makes the case for PCI DSS compliance
…Today, with a nod to millions of merchants worldwide that accept credit card payments, VMware Inc. announced that it has joined the Payment Card Industry Security Standards Council (PCI SSC) to incorporate awareness of virtualization into forthcoming versions of PCI regulations.

The company has also launched the VMware Compliance Center, a website dedicated to educating merchants and auditors about compliance in a virtualized environments, and the resource includes links to relevant white papers and webcasts. …

PCI Data Security Standard updated, but still does not address virtualization — Server Virtualization Blog

I am puzzled as to why they would continue to ignore virtualization. After all, isn’t just about every company virtualizing in some fashion these days? Are the people that write the specification parameters just ignorant of what virtualization is, and that it has a direct impact on their regulations? Or are they just trusting that we are all securing our virtual hosts properly and there is no need to address them? If that’s the case then they have misplaced a critical amount of trust as I am sure there are a great many virtual environments that are not properly secured. Likewise, ignoring virtualization completely greatly reduces the effectiveness of their efforts to secure environments that deal with cardholder data. It’s essentially fortifying everything within a castle, but leaving the front gate open.

StorefrontBacktalk - Why PCI 1.2 Ignoring Virtualization Won’t Matter

… The issue is more than just PCI compliance. It’s about reliability, performance and data integrity. The point is that deciding whether to deploy virtualized servers broadly throughout the enterprise should not hinge on PCI compliance. Once the larger application and management issues are addressed to the satisfaction of the head of IT infrastructure, and the controls documentation is put in place, then PCI compliance becomes a minor issue by comparison.