The PCI Security Standards Council has published guidelines for implementing its requirements in virtualised environments.
It said that the PCI DSS virtualisation guidelines information supplement provides guidance to those in the payment chain on the use of virtualisation technology in cardholder data environments.
It said: “The use of virtualisation technology has been a chief area of interest for organisations considering its implementation in their cardholder data environments and assessors who evaluate virtualised environments as part of a PCI DSS assessment. While it provides many benefits, virtualisation also introduces new and unique risks that must be considered carefully prior to deployment.”
The council said it will help merchants, service providers, processors and vendors understand how PCI DSS applies to virtual environments, including:
- Explanation of the classes of virtualisation often seen in payment environments, including virtualised operating systems, hardware/platforms and networks.
- Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each.
- Practical methods and concepts for deployment of virtualisation in payment card environments.
- Suggested controls and best practices for meeting PCI DSS requirements in virtual environments.
- Specific recommendations for mixed-mode and cloud computing environments.
- Guidance for understanding and assessing risk in virtual environments.
The special interest group's findings highlighted no single method for securing virtualised systems. It deemed that virtual technologies have many applications and uses and the security controls appropriate for one implementation may not be suitable for another.