VCE Product Applicability Guide For Payment Card Industry (PCI) VMw are Compliance Reference Architecture Framew ork Partner Addendum VCE Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 VCE Vblock™ Systems The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire®, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire’s results are based on detailed document inspections and interviews with the vendor’s technical teams. Coalfire’s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at www.coalfire.com. If you require more information specific to this solution guide, you may contact us here: www.coalfire.com/vce Product Applicability Guide – Partner Addendum Page | 1 VMware Compliance Reference Architect Framework Partner Addendum Table of Contents TABLE OF CONTENTS ..................................................................................................................... 2 INTRODUCTION............................................................................................................................... 3 OVERVIEW OF PCI IN CLOUD/VIRTUAL ENVIRONMENTS .................................................................. 5 SUMMARY OF RELEVANT CHANGES FROM PCI DSS 2.0 TO 3.0 ........................................................ 6 SUMMARY OF SECTION CHANGES .................................................................................................. 8 SUMMARY OF REQUIREMENT CHANGES ......................................................................................... 9 CONVERGED INFRASTRUCTURE – V BLOCK™ SYSTEM 300 FAMILY ................................................ 16 PRACTICAL ADVICE FOR SECURING THE CONVERGED VIRTUAL DATA CENTER ........................... 18 GUIDANCE FROM THE PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL.................... 19 VCE FACTORY LOGICAL CONFIGURATION SERVICE ..................................................................... 27 VBLOCK SYSTEM PCI REQUIREMENTS APPLICABILITY MATRIX .................................................... 28 MIXED MODE AND MULTI-TENANT CONSIDERATIONS.................................................................... 32 Product Applicability Guide – Partner Addendum Page | 2 VMware Compliance Reference Architect Framework Partner Addendum Introduction Vblock™ Systems from VCE deliver extraordinary efficiency and business agility for virtualization and cloud computing, tightly integrating virtualization, compute, netw ork, and storage technologies into a converged infrastructure from industry leaders Cisco, EMC, and VMw are. Vblock Systems provide dynamic pools of resources that can be intelligently provisioned and managed to address changing demands and business requirements. Converged infrastructure (CI) platforms are purpose-built virtualization systems, and are rapidly becoming the first phase in many organization’s cloud strategy. Security and compliance requirements are a concern for organizations planning to process sensitive data through Vblock Systems. Organizations planning to make use of Vblock Systems for payment card processing must comply w ith requirements of the Payment Card Industry Data Security Standards (PCI DSS). This guide provides the overall compliance posture of Vblock Systems w ith respect to PCI DSS 3.0, targeted to IT managers, system administrators, and audit teams. It is an update to an earlier publication, VCE Addendum to VMware Solution Guide for PCI DSS 2.0 modified to account for the changes in PCI DSS 3.0. For the purposes of this document, the Vblock System 300 family of hardw are and softw are w as analyzed. While each Vblock System is customized to the end user’s requirements, a Vblock System enables compliance w ith more than 25% of the PCI DSS requirements. The follow ing figure depicts the compliance capabilities of the VMw are product environment based on the VMware Product Applicability Guide for PCI released by VMw are. in February 2014. The Vblock System solution demonstrates compliance leveraging both VMw are components and components sourced from VMw are partners. Figure 1: PCI requirements Product Applicability Guide – Partner Addendum Page | 3 VMware Compliance Reference Architect Framework Partner Addendum Figure 2: PCI requirements and Vblock Systems PCI DSS objective Requirements supported PCI requirements by Vblock Systems Build and maintain a secure netw ork 66 30 Protect cardholder data 55 2 Maintain a vulnerability management program 54 6 Implement strong access control measures 99 28 Regularly monitor and test netw orks 66 26 Maintain an information security policy 46 0 Table 1: PCI requirements and Vblock Systems Product Applicability Guide – Partner Addendum Page | 4 VMware Compliance Reference Architect Framework Partner Addendum Overview of PCI in cloud/virtual environments The PCI Security Standards Council (SSC) w as established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldw ide, and Visa Inc.). The operating regulations of these payment brands require that any merchant or service provider that processes, stores, or transmits credit cards must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 400 specific test controls outlined in PCI DSS 3.0. In addition to potential loss of reputation, failure to meet PCI requirements could lead to fines, penalties, or inability to process credit cards. PCI DSS has six categories w ith tw elve total requirements: Table 2: PCI Data Security Standard The PCI SSC began providing formalized guidance for cloud and virtual environments in October 2010. The requirements listed in Table 2 are based on industry feedback, the rapid adoption of virtualization technology, and the business-driven migration to cloud. Versions 2.0 and 3.0 of the DSS document specifically mention the term virtualization (previous versions did not use this term). The Data Security Standard intended to clarify that virtual components should be considered as components f or PCI; how ever, it did not adequately clarify and explain the specific details and risks relating to virtual environments. Virtual and cloud specific guidance are addressed in the follow ing Information Supplements: • PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC Virtualization Special Interest Group (SIG) • PCI DSS Cloud Computing Guidelines, released in February 2013 by the PCI SSC Cloud Special Interest Group (SIG) • Navigating PCI DSS, version 2.0 October 2010 The virtualization and cloud supplements are w ritten to address a broad set of users, from small retailers to large cloud providers, and remains product agnostic (no specific mentions of vendors and their solutions). Product Applicability Guide – Partner Addendum Page | 5 VMware Compliance Reference Architect Framework Partner Addendum Summary of relevant changes from PCI DSS 2.0 to 3.0 Although little additional guidance has been released specifically regarding virtualization, PCI DSS 3.0 provides a number of enhancements and clarifications that may have significant design and operational considerations above and beyond those required for compliance w ith PCI DSS 2.0. Note that none of the new PCI DSS 3.0 requirements or considerations are inconsistent w ith or materially different from those found in PCI DSS 2.0; rather they are simply additions, enhancements, and clarifications. With every iteration of PCI DSS and the associated changes and updates, particularly w hen new requirements are presented, organizations are provided additional time to develop and implement these controls through the Sunrise process. Under this process, entities can choose to manage their cardholder data environments under PCI DSS 2.0 until December 31, 2014.,After this date, all PCI DSS programs and audits must adhere to PCI DSS 3.0. Additionally, many of the new requirements under PCI DSS 3.0 are considered best practices until July 1, 2015, giving organizations additional time to prepare to meet these new requirements in an appropriate manner. Figure 3: PCI DSS 3.0 changes and updates Many of the new controls and changes in PCI DSS 3.0 reflect the grow ing maturity of the payment card industry and the need to take a risk-based approach that focuses on the threats and associated risks that most commonly lead to incidents involving cardholder data compromise. PCI DSS 3.0 also provides PCI organizations and assessors with additional guidance and flexibility around designing, implementing, and validating the requisite PCI DSS controls. The increased guidance and flexibility requires a greatly increased level of stringency in validating the controls and in the risk-based approach to managing PCI DSS requirements. As show n in Figure 4, PCI SSC has provided summary guidance of changes from PCI DSS Version 2.0 to 3.0. At a high level, the updates to PCI DSS 3.0 include: • Stronger focus on several of the greater risk areas in the threat environment • Increased clarity on PCI DSS and PA-DSS requirements • Greater understanding on the intent of and how to apply the requirements