Card security rules hinder virtualization

Current controls in the Payment Card Industry Data Security Standard (PCI DSS) are in conflict with virtualization practices and may hamper adoption of the technology, industry experts have warned.

Managed by the PCI Security Standards Council, the PCI DSS comprises a set of guidelines and controls to protect customer data, prevent fraud and eliminate security vulnerabilities. Organizations that handle payment data such as banks and retail merchants, are required to comply with the guidelines.

The policies are updated every two years with the next update scheduled for October 2010. The current version 1.2 took effect October 2008.

Jason Pearce, RSA's Asia-Pacific and Japan director of sales engineering, told ZDNet Asia the existing guidelines were established for traditional physical infrastructure and "do not provide adequate controls" for virtualized environments.

"As most organizations turn toward virtualization to optimize resource utilization and operational efficiencies, they are faced with the reality that while the PCI DSS is very detailed and specific, to date, it does not acknowledge or accommodate some of the unique challenges faced by an organization that chooses to deploy hardware or software virtualization technology within its PCI environment," the EMC executive explained in an e-mail. "In fact, some controls [outlined in the security standard] can be easily misinterpreted to mean that virtualization is incompatible with PCI DSS compliance.

"This is leading to confusion resulting in either failure to comply with the PCI DSS, or hesitation to deploy virtualization technology within PCI environments," Pearce said.

Patrick Chan, IDC Asia-Pacific's chief technology advisor for emerging technologies research, said in an e-mail interview the PCI DSS "definitely needs [an] update", as PCI compliance involving virtualized environments is currently reliant on "subjective guidance" of auditors.

According to Chan, one area within PCI DSS that conflicts with virtualization principles is 2.2.1, which mandates complying organizations to "implement only one primary function per server".

"This is an example [of a policy] that needs [to be addressed] in the next update, as hypervisor allows multiple systems to enjoy logical separation, even when they share the same underlying hardware," he pointed out in an e-mail interview. "Updates need to look into the logical layers as an additional layer of protection and security, rather than as a weakness."

"There are now emerging products that can help secure the entire perimeter of virtualized environments--to the extent of restricting certain protocols and types of traffics that traverse the different virtual machines," he said.

Lee Poh Wah, VMware's Asian South systems engineering manager, added that literally speaking, requirement 2.2.1 allows organizations to tap virtualization for consolidation of systems that perform the same function. However, the guidelines are not clear on whether a virtual machine (VM) is included in the definition of a server, Lee said in an e-mail.

"Without clear guidance from PCI DSS, it is up to each individual auditor to decide what satisfies PCI in their minds. This lack of consistency has made it very difficult for retailers to plan what to do," he noted. "Where we have seen success is when a customer proactively engages with their auditor ahead of time, so that they know what works and what will be frowned upon. Of course, you have to start with an auditor who is knowledgeable about virtualization, since most of them are not."

Virtualization catching on; update timely
Lee noted that "most" retail players are looking at virtualization as a means to optimize resource utilization and operational efficiencies. "Stores...can gain tremendous efficiencies from virtualization since there are often many computers at a store branch, each of which are often highly under-utilized," he said.

IDC's Chan added that among financial institutions, the majority of banks are "still hesitant to consolidate "heavy transactional front-end servers" but many are still studying how to gain benefits out of virtualization. Banks are already adopting client-side virtualization to optimize branch operational efficiencies and cost, he said.

Asia-Pacific organizations, in particular, would likely welcome or push for the PCI DSS guidelines to be revised more quickly, especially since server consolidation--according to an IDC study this year--was a major trend in the region.

RSA's Pearce said many organizations have become heavily dependent on virtual infrastructures, but are hesitant to deploy virtualization in areas that involve credit card data. "Because the PCI DSS standard hasn't included specific virtualization concerns, there have not been wider deployments," he said.

While the PCI DSS is not necessarily late incorporating virtualization guidelines, he acknowledged that "the time has come now where the market is demanding that these guidelines are included".

"The recent financial meltdown has caused many organizations to conserve tight IT budgets and deploy virtualization, and this has driven the [need for] an update in the PCI DSS standard to include this key technology," he said.

Pearce believes the update next year will address a number of key areas. For instance, the PCI Security Standards Council is likely to focus on the security of host servers as any VM containing credit card-related data would require its host server to be closely monitored. Custodians of the PCI DSS may also look into ensuring there are stringent security controls for clones and copies of virtualized servers, such as those used for disaster recovery, he added.

"The biggest challenge that will need to be addressed, and the one that will affect the merchants the most, will be whether or not virtualization provides adequate zoning and separation of functions," he noted. "That guideline should specify whether or not virtual servers are acceptable as long as they are only performing a single function."

According to Pearce, the workaround may be for a single hypervisor to only allow the PCI-compliant systems to handle data. "[This] would avoid the non-compliant state of having multiple classifications of data residing on the one storage medium", he explained.

"A current best practice is to not use virtual machines that run across multiple secure zones on the same host," he noted. "In the upcoming clarification document, it will also be important to monitor not just the VM workloads, but also the hypervisors. Comprehensive SIEM (security information and event management) monitoring offers reporting ability, which will certainly help toward demonstrating compliance."

He added that proper documentation, which will unlikely be covered in the update, should be included as a best practice.

"Good documentation can be used to prove there are sufficient controls in the virtualized environment, and this seems to be a common component of setups that have passed an audit," said Pearce. "The more documentation you can provide to a PCI Qualified Security Assessor, the better it will help them understand the security controls that have been deployed in your virtual environment."