PCI Scope and Virtualization

A strange statement popped out at me in an article called Top 10 PCI Compliance Mistakes.

“PCI DSS 2.0 mandates that even if one VM deals with cardholder data, your entire virtual infrastructure must comply with the standard. The challenge is — the wording in PCI DSS on virtualization is vague and it all depends on the interpretation of the auditors,”

First, your entire virtual infrastructure does not have to comply with the standard if just one VM deals with cardholder data. That must be a misquote. I think what was meant was that a VM with cardholder data brings into scope the infrastructure that supports it (e.g. connected to or hosted on, per the Virtualization Guidelines quoted below). An entire virtual infrastructure can obviously include areas that are unrelated and unconnected to the VM in question. Segmentation is possible.

Second, the PCI assessors (not the same as auditor, but the two terms seem to be interchanged now) always interpret regulations. I say PCI DSS is one of the most prescriptive and therefore least vague. Moreover, it does not all depend on interpretation of the assessors. That is like saying food safety all depends on the health inspector. The Security Standards Council (SSC) for example can clarify or otherwise overrule an assessor’s interpretation.

With that in mind, here are a couple relevant sections.

PCI DSS 2.0:

2.2.1.b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.

PCI DSS 2.0 Information Supplement: PCI DSS Virtualization Guidelines

If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope.

I wrote last year a white paper on PCI compliance mistakes specific to virtual environments that you may find useful: 5 Mistakes Auditing Virtual Environments (You Don’t Want to Make)

I also wrote an earlier post on PCI scope errors.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.