Is your VMware Instance PCI DSS Compliant? Look to PCI and VMware for Guidance.
Platform virtualization is becoming a more and more popular solution for companies trying to conserve resources, and VMware is leading this transition as the most popular virtualization platform available. However, there are still many concerns around data security in virtualized environments. Naturally, many people are concerned about PCI compliance when running in a VMware environment. In this case, most of the questions about PCI compliance are in the context of the PCI Data Security Standard (PCI-DSS) and PCI Payment Application Data Security Standards (PA-DSS).
Fortunately, the PCI Security Standards Council (PCI-SSC) has already weighed in on this question and has published clear guidance on running payment applications in a virtualized environment. Version 2.0 of the document is available from the PCI website and directly accessible here.
Of course, this guidance does not mention VMware specifically. It is designed to address the issues related to any virtualization technology such as Microsoft Hyper-v, Xen, and any others. However, VMware is the de facto standard for virtualization in data centers and is deployed by many cloud service providers who support the vCloud architecture. So it is natural that there are many questions about PCI compliance with VMware.
First it should be said that anyone running VMware for their line of business applications should read the PCI guidance BEFORE they start to deploy applications that store or process payment transactions. The procedures you use to deploy business applications in a VMware context are almost certainly not going to meet PCI requirements. So, if you are thinking about doing this, take a deep breath and do some research first.
Fortunately, we have some good guidance from PCI as well as VMware on the topic of PCI compliance. VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to deploy payment applications in a VMware environment. The document follows closely the PCI virtualization guidance, and will be an invaluable resource as you start your project. You can access the CoalFire document from the VMware website here.
With these two documents in hand, and with the guidance of your QSA auditor or security consultant, you can achieve good compliance with PCI recommendations.
PCI also offers guidance on running encryption key management solutions in a VMware context. There are some obvious points such as the recommendation that you NOT run your key management application in the same hardware and VMware hypervisor context. You will be glad to know that Townsend Security’s Alliance Key Manager for VMware solution meets the PCI recommendations when deployed properly in a VMware environment. We recently released our Alliance Key Manager solution as a VMware appliance, and we are committed to helping businesses achieve PCI compliance with industry standard encryption and encryption key management.