PCI Council: Don’t Go Mixed-Mode In Virtualization
Written by Frank HayesThe PCI Council released its guidelines for using virtualization in payment-card systems on Tuesday (June 14). That’s not news—the PCI Virtualization Special Interest Group has been working on the guidelines for months. What is surprising is just how blunt the guidelines are. For once, a PCI document actually tells you what to do.
Example: Section 4.2, the guidelines’ advice for “mixed-mode environments.” That means cases where a single server contains some virtual machines that are in-scope for PCI, while other VMs running on the same hardware are out-of-scope. If you’re accustomed to PCI’s usual generalized, loophole-laden language, you’re in for a shock. The bottom-line recommendation for mixed-mode environments comes down to three words: Don’t do it.
OK, it’s not quite that blunt, but it’s close. “It is strongly recommended [and a basic security principle] that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system,” the guidelines say.
They continue: “This principle should also be applied if in-scope and out-of-scope virtual systems are to be located on the same host or hypervisor. As a general rule, any VM or other virtual component that is hosted on the same hardware or hypervisor as an in-scope component would also be in scope for PCI DSS, as both the hypervisor and underlying host provide a connection (either physical, logical or both) between the virtual components, and it may not be possible to achieve an appropriate level of isolation, or segmentation, between in-scope and out-of-scope components located on the same host or hypervisor.”
In fact, the guidelines do state plainly—and repeatedly—that if any component on a piece of server hardware is in-scope, then the hardware itself is in-scope for PCI DSS.
“In order for in-scope and out-of-scope VMs to co-exist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other,” the PCI clarifications said. “Even if adequate segmentation between virtual components could be achieved, the resource effort and administrative overhead required to enforce the segmentation and maintain different security levels on each component would likely be more burdensome than applying PCI DSS controls to the system as a whole.”
This being PCI, the guidelines then go on to explain what’s required if a merchant decides to try it anyway.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
