PCI Security Standards Council Releases Guidelines for Virtual Environments

On June 14, the PCI Security Standards Council released new guidelines [pdf] directed to entities that  process payment card data in virtual environments.  These guidelines do not add additional requirements to the PCI-DSS 2.0 standard.  Rather,  they are  an outline for applying the existing standard in the context of virtual platforms, including cloud computing.

In its latest release, the Council identifies several security risks unique to virtual environments, including:

• Vulnerability of the “hypervisor”, i.e. the single program that allows multiple operating systems to run concurrently in the virtual environment and controls execution of these “guest” systems while users are navigating within the virtual environment;
• Configuration and security issues related to the multi-layered technological complexity of virtual environments;
• The possibility that the compromise of one virtual system function could lead to a compromise of other functions on the same system;
• Allowing multiple guest operating systems with different security clearances or “trust levels” to access the virtual environment simultaneously, while preserving the security of the stored data; and
• “Leakage” of data between virtual components when access to shared resources allows one component to collect information about another component on the same host.

To combat these risks, the Council provides numerous recommendations, ranging from general strategies to evaluate potential risks in any virtual environment, to specific issues to consider when securing specific components of a virtual system.  Many of the recommendations focus on the reality that the complexity of the virtual environment requires more than a generalized security plan.  Entities that  use virtual environments to store sensitive data must isolate each system function and component, and then develop appropriate security measures adapted to the vulnerabilities of each component.  Some recommendations include:

• “Hardening” (securing) the hypervisor;
• Implementation of appropriate physical access controls;
• Implementation of a “defense-in-depth approach” that encompasses preventive, detective, and responsive controls to secure data and other assets;
• Using multiple methods to secure administrative access, such as implementing two-factor authentication or establishing dual or split-control of administrative passwords between multiple administrators; and
• Ensuring administrative, process, and technical segmentation to isolate each hosted entity’s environment from the environment of other entities.

However, the guidelines do not endorse any specific technology or provide any explicit methods to achieve the above recommendations.  This lack of endorsement is indicative of the complexity and diversity of the virtual environments available today.  With numerous differing systems emerging in the payment card industry and elsewhere, each entity must carefully tailor its system security to the unique risks posed by that entity’s operations.