PCI DSS 2.0 now allows “System Components” to be physical or virtual; for enterprises, this affirms their strategy to virtualize mission critical assets, including those that are subject to PCI compliance.
Specifically, in virtualized and cloud environments, the PCI DSS requirements apply to the hypervisors, the virtual machines, people and processes considered to be the cardholder data environment.
To support organizations facing these requirements and address the unique challenges of virtualization and cloud environments, industry leaders Cisco, VMware, HyTrust, Coalfire and Savvis – all core members of the PCI DSS Virtualization Special Interest Group (vSIG) – began months of collaboration, developing a white paper that outlines the configuration guidelines and “best practices” reference architecture, which was implemented and tested in a Savvis advanced-technology lab.
“The cloud reference architecture was designed around our Savvis Symphony cloud architecture, utilizing innovative technologies from Cisco, VMware and HyTrust to enable security controls that meet the intent of PCI DSS 2.0,” said Ken Owens, technology vice president, security and virtualization, at Savvis. “And though the reference architecture was successfully audited and tested, vSIG members plan to continue exploring and sharing additional guidance on securing cardholder data environments with virtual system components.”
“The latest release of the PCI DSS recognizes that organizations have implemented virtual infrastructures in their cardholder data environments. As the industry increases the adoption of virtualization, the next logical step is to move to a private cloud environment,” stated Tom McAndrew, Vice President of Professional Services at Coalfire, one of the leading Qualified Security Assessor (QSA) organizations. He continued: “The PCI DSS represents a minimum baseline of security controls which are being adopted not only in payment environments, but also in other industry verticals such as healthcare, banking, local, state and Federal government. This paper addresses some of the common challenges these organizations face, and how leading providers such as HyTrust, VMware, Savvis, and Cisco have developed solutions to tackle these challenges head-on.”
Eric Chiu, president and CEO, HyTrust, added: “Many HyTrust customers in the financial and retail sectors have been forward-looking in their implementations, taking into account compensating controls for their VMware infrastructures. Using HyTrust, these organizations already have the automated hypervisor hardening, as well as the people and process controls, that the compliance standard requires. DSS 2.0 will allow companies to confidently virtualize PCI applications and other sensitive workloads and we look forward to helping this adoption by providing the automated controls to satisfy the new PCI requirements.”
Availability & Webinar
The whitepaper is available for download immediately at no cost from http://info.hytrust.com/pci_reference_architecture.html
Please join a special and highly informative webinar on Wednesday, November 10, 10:00 AM (PST), also at no charge to participants, that will bring together a top panel of experts from the PCI SSC Virtualization SIG to discuss the implications of PCI DSS 2.0 and offer specific practical guidelines that satisfy the requirements. Register Now: https://hytrustevents.webex.com/hytrustevents/onstage/g.php?d=660694896&t=a
About HyTrust (www.hytrust.com)
Virtualization Under Control™.
HyTrust', headquartered in Mountain View, CA, is the leader in policy management and access control for virtual infrastructure. HyTrust empowers organizations to virtualize more—including servers that may be subject to compliance—by delivering enterprise-class controls for access, accountability, and visibility to their existing virtualization infrastructure. The Company is backed by top tier investors Granite Ventures, Cisco Systems (Nasdaq: CSCO), Trident Capital, and Epic Ventures; its partners include VMware; Symantec (Nasdaq: SYMC); Citrix (Nasdaq: CTXS); RSA (NYSE: EMC) and Intel Corporation (Nasdaq: INTC).