PCI-DSS for Cloud and Virtualization​​

PCI-DSS for Cloud and Virtualization​​

The Hypervisor is Always In Scope​

You want to virtualize more of your environment, including the Cardholder Data Environment (CDE), but you need to maintain compliance with standards such as PCI-DSS. Indeed, the virtualization of PCI in-scope applications is now very common, and under PCI-DSS the virtual platform or hypervisor (such as vSphere or KVM) is always in scope.  This means that PCI-DSS requirements apply to hypervisors that are running workloads which are part of the Cardholder Data Environment.  Furthermore, under PCI 3.1, Business As Usual (BAU) guidance helps drive the need for continuous compliance, rather than just focusing on annual audits.  Finally, many organizations are considering the use of “mixed mode” virtual environments, in which CDE and non-CDE workloads co-exist on the same hypervisors, adding to the complexity faced by IT organizations needing to maintain compliance in addition to complexity faced by assessors conducting audits.

Unfortunately, platforms such as VMware vSphere and KVM do not provide the required controls and logging on administrator activity needed to meet any of these requirements. Typically compliance efforts will require at the least unique user IDs for all permitted (and all blocked) operations in addition to other essential information gathered.

HyTrust CloudControl offers the most complete solution available for administrator and configuration controls on VMware vSphere and vCenter infrastructure. As such, it allows organizations to meet PCI DSS requirements for admin activity and infrastructure configuration on virtual environments in an operationally efficient manner.

PCI-DSS Sections and Controls

Specifically, CloudControl supports 28 controls in the following PCI DSS sections:

  • Section 2: Vendor Defaults
  • Section 6: Secure Systems
  • Section 7: Restrict Access to Cardholder Data
  • Section 8: Identify and Authenticate Access
  • Section 10: Track and Monitor All Access

HyTrust CloudControl also fully supports mixed-mode PCI deployments with the following controls and functions for both administrative and logical segmentation:

  • Enforced workload (VM) placement
  • Configuration hardening to eliminate segmentation violations
  • Administrator role separation (PCI vs. Non-PCI)
  • Independent logging of PCI workloads