VMware!EUC!Product!Applicability!Guide! for!payment!card!industry!data!security! Standard!(PCI!DSS)!version!3.0!

Transcription

1 VMware EUCProductApplicabilityGuide forpaymentcardindustrydatasecurity Standard(PCIDSS)version3.0 July2015 v1.0 TECHNICALWHITEPAPER ThisisthefirstdocumentintheComplianceReferenceArchitectureforPCI.You canfindmoreinformationontheframeworkanddownloadtheadditional documentsfromthepcisolutionresourcestabonvmwaresolution Exchangehere. vmwareypciycomplianceyandycyberyriskysolutions#.vwcfyk9vhbc

2 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) TableofContents EXECUTIVE+SUMMARY...4 INTRODUCTION...4 OVERVIEW+OF+PCI+AS+IT+APPLIES+TO+END8USER+COMPUTING+ENVIRONMENTS...6 SUMMARY+OF+RELEVANT+CHANGES+FROM+PCI+DSS+2.0+TO CLOUD+COMPUTING...18 WHERE+TO+START+8+CONSIDERATIONS+FOR+MANAGEMENT,+IT+AND+AUDITORS...19 VMware'Specific-Assessment-Considerations Management/Business-Considerations IT-Considerations Audit-Considerations GUIDANCE+FROM+THE+PAYMENT+CARD+INDUSTRY+SECURITY+STANDARDS+COUNCIL...20 VMWARE+TECHNOLOGIES+AND+PCI...25 VMWARE+PCI+REQUIREMENTS+MATRIX+(OVERVIEW)...27 VMWARE+PCI+REQUIREMENTS+MATRIX+(END+USER+COMPUTING)...29 End-User-Computing VMware-Horizon VMWARE+HORIZON+VIEW TM...31 VMware-Horizon-Mirage Horizon-Workspace-Portal VMware-Horizon-Air SUMMARY...37 ACKNOWLEDGEMENTS:...38 ABOUT+COALFIRE...38 Disclaimer VMwareProductApplicabilityGuide/2 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

3 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) DesignSubjectMatterExperts Thefollowingpeopleprovidedkeyinputintothiswillinaandwillandheandheandwillheandwillawillandyouwill andwillandwillandwillandinaisanandwilldesign. NAME ADDRESS ROLE/COMMENTS NickTrenc Consultant,Coalfire SatnamPurewal Associate,Coalfire Trademarks TheVMwareproductsandsolutionsdiscussedinthisdocumentareprotectedbyU.S.andinternationalcopyrightand intellectualpropertylaws.vmwareproductsarecoveredbyoneormorepatentslistedat Statesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheir companies. SolutionArea VMwarevCloud Infrastructure KeyProducts VMwareESXI,VMwarevSphere,VMwarevShieldEndpoint,VMwarevRealize Server andvmwarevclouddirector VMwarevCloud Networkingand Security VMwarevCloud NetworkingandSecurityApp,VMwarevCloud Networkingand SecurityDataSecurity,VMwarevCloud NetworkingandSecurityEdgeGateway, VMwarevCloud NetworkingandSecurityManager VMwareNSX VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSXService Composer VMwarevRealize Operations (formerlyvcenteroperations ManagementSuite) VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize Automation Center,VMwarevRealize LogInsight,VMwarevRealize Operationsfor Horizon VMware EndUserComputing VMwareHorizon EnterpriseEdition,VMwareHorizon withview Edition,VMware Horizon Client,VMwareMirage,VMwareWorkspace Portal,VMwareApp Volumes VMwareProductApplicabilityGuide/3 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

4 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/4 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ExecutiveSummary ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isapplicabletoalltypesofenvironmentsthatstore, process,ortransmitcardholderdata.thisincludesinformationsuchaspersonalaccountnumbers(pan),aswell asanyotherinformationthathasbeendefinedascardholderdatabythepcidss.theuseofcloudcomputing resourcesmustalsobescrutinizedbythepcidssauditprocess,andmanyofthecloud sadvantagesoverearlier paradigmsyysharingofresources,workloadmobility,consolidatedmanagementplane,etc. themselvesnecessitate thatadequatecontrolsareadoptedtohelpmeetpcidsscontrols.pciconsiderationsareessentialforassessorsto helptounderstandwhattheymightneedtoknowaboutanenvironmentinordertobeabletodeterminewhethera PCIDSSrequirementhasbeenmet.Ifpaymentcarddataisstored,processedortransmittedinacloudenvironment, PCIDSSwillapplytothatenvironment,andwilltypicallyinvolvevalidationofboththeinfrastructureandthe applicationsrunninginthatenvironment. AnyenterprisecomputingenvironmentsthatcontainscardholderdataelementsaresubjecttoPCIDSScompliance. Manyofthoseenvironmentsthatdealinanykindoffinancialtransactionforexchanginggoodsandservicesrelyon VMwareandVMwareTechnologyPartnersolutionstodeliverthoseenterprisecomputingenvironments.Assuch, theseenterprisesseekwaystoreduceoverallitbudgetwhilemaintaininganappropriateoverallriskpostureforthe inyscopeenvironment.oneofthegreatestchallengesinhostingthenextgenerationenterprisecomputing environmentisconsolidatingmanymodesoftrustrequiredsuchasthoserequiredforacardholderdata Environment(CDE)andaNonYCardholderDataEnvironment. ForthesereasonsVMwarehasenlisteditsauditpartnerCoalfire,aPCIDSSapprovedQualifiedSecurityAssessor (QSA),toengageinaprogrammaticapproachtoevaluateVMwareproductsandsolutionsforPCIDSScontrol capabilitiesandthentodocumentthesecapabilitiesinasetofreferencearchitecturedocuments.thefirstofthese documentsisthisproductapplicabilityguide,whichcontainsamappingofthevmwareproductsandfeaturesthat shouldbeconsideredforimplementingpcidsscontrols.thenexttwodocumentsthat,togetherwiththisguide, comprisethepcidssreferencearchitecturearethearchitecturedesignguideandthevalidatedreference Architecture,whichwillprovideguidanceontheconsiderationstobemadewhendesigningavCloudenvironmentfor PCIDSSaswellasalabvalidationexerciseanalyzinganinstanceofthisreferencearchitecturewhichutilizesthe conceptsandapproachesoutlinedtherein.formoreinformationonthesedocumentsandthegeneralapproachto complianceissuespleasereviewvmware+compliance+cyber+risk+solutions. Inaddition,VMwareandCoalfireareengagedwithVMwareTechnologyPartnerstoanalyzetheirproductsand solutions(availableonthevmwaresolutionexchange)withthegoalofprovidingcontinuingexamplestothe industry.inanongoingeffort,vmwareandcoalfirewillutilizethisinformationtocreatenew"joint"reference architecturesbasedonthevmwarereferencearchitectureforpcidsswherepartnerproductsandsolutionsare combinedandauditorvalidatedtofurthereaseadoptionforcio s,itmanagers,architects,itauditorsandsecurity practitionersinvolvedwithavmwarevcloudsuitebasedcloudcomputingarchitecture.seefigure2onpage6in thisdocumentforthecompliancesolutioncategories. Thisstudyinvestigateddifferentapplicationsavailabletoorganizationsthatuse(orareconsideringusing) virtualizationandcloudtosupportamixedymodevirtualenvironment.tothatend,coalfirehighlightedthespecific PCIDSSrequirementstheseapplicationsaddress,andrecommendsanapproachfororganizationsandtheirQSA s orinternalsecurityassessors(isa s)totesttheircompliancewithpcidssv.3.0.ithasbeenreviewedandauthored byourstaffofqualifiedsecurityassessorsinconjunctionwithvmware. Ifyouhaveanycommentsregardingthiswhitepaper,wewelcomeanyfeedbackatVMware@coalfire.comor compliancegsolutions@vmware.com. Introduction Complianceandsecurityissuescontinuetobetopconcernsfororganizationsthatplantomoveanyoralloftheir environmenttocloudcomputing.vmwarehelpsorganizationsaddressthesechallengesbyprovidingbundled solutions(suites)thataredesignedforspecificusecases.theseusecasesaddressquestionslike HowtobePCI compliantinavmwareprivatecloud byprovidinghelpfulinformationforvmwarearchitects,thecompliance community,andthirdparties.

5 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) The2013PCIPrivateCloudUseCaseisfocusedonenterpriseswishingtobuildoutaprivatecloudcomputing environmentforhostingapplicationsthatmaybesubjecttoapcidssaudit.thisguideisfocusedon5groupsof technologiesusedtobuildarchitecturesandoperatingmodelsinordertosupportthisgoal.those5groupsare CloudInfrastructure CloudInfrastructureManagement CloudNetworkingandSecurity NetworkandSecurityVirtualization EndUserComputing. TheprivatecloudusecasealsoprovidesreaderswithamappingofthespecificPCI3.0requirementstoVMware s productsuites,products,andpartnersolutionscontainedinthose5groups.whileeverycloudisunique,vmwareand 3 rd partysolutionscanprovidecapabilitiesthataddressapproximately80%ofpcitechnicalrequirementsfor compliance.figure1showstheproportionoftechnicalrequirementsaddressedbyvmwareinrelationtothetotal numberofrequirementsthatarenonytechnicalororganizationalresponsibility. PCIRequirements OrganizationResponsibility VMwareTechnicalProducts PartnerSolutions Figure1:PCIDSSRequirementsandVMware Figure2identifiescapabilitymeasureswithrespecttoprotection,integrity,andavailabilitythatmakeupatrusted cloudimplementation.thegraphicillustratesthespecificcategoriesthatvmwareandpartnersolutionsareableto address.eachsectionofthegraphicrepresentsageneralcategoryofenablement.thealignmentofvmwareand partnertechnologieswiththesecategoriesassistswiththematchingofspecifictechnologiestothecontrolsandthe intentthatthecontrolsaredesignedtoaddress. VMwareProductApplicabilityGuide/5 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

6 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Figure2:VMware+PartnerProductCapabilitiesforaTrustedCloud DuetothecommoncapabilitiesoftheVMwareproductsandfeaturesacrossallofthePCIusecases,understanding therelationshipoftheseproductsandfeatureswiththepciguidanceandrequirementsisfundamentalandmost broadlyaccommodatedinthisdocument.morespecificguidanceisprovidedinthearchitecturaldesignguide, wheredesignsuggestionsareprovidedtoillustratehowvmwareeucsolutionscanenablecontrolstoaddresspci requirementswithinvarioususecases.thepcidssguidance,requirementsandtestingproceduresaredesigned foruseduringpcidsscomplianceassessmentsaspartofanentity svalidationprocess.theintentionofpcidss istoprovideaminimumsetofrequirementsnecessarywiththeintentionofprotectingcardholderdata.the informationdesignedtobeprotectedbypcidssisspecifictothepcidssrequirements.asitisaminimum requirement,itisrecommendedthatentitiesthathandlecardholderdataimplementadditionalcontrolsandpractices tofurthermitigaterisks.moreover,manyentitiesrequiringadherencetopcirequirementsmayalsoberequiredto implementcontrolsrelevanttootherregulatoryandgovernancerequirements.thecombiningofcapabilitiesof VMwareandtheVMwarePartnernetworkprovidethemeansoftoaddresstherequirementsinacohesiveway.The PCIrequirementsimplementedinacommonVMwareEndUserComputingarchitectureopensupopportunitiesfor tightercontrolandgreateragility. OverviewofPCIasitAppliestoEndGUserComputing Environments ThePCISecurityStandardsCouncil(SSC)wasestablishedin2006byfiveglobalpaymentbrands(American Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.).Thepayment brandsrequirethroughtheiroperatingregulationsthatanymerchantorserviceprovidermustbepcicompliant. Merchantsandserviceprovidersarerequiredtovalidatetheircompliancebyassessingtheirenvironmentagainst nearly300specifictestcontrolsoutlinedinthepaymentcardindustrydatasecuritystandards(dss).failureto meetpcidssrequirementsmayleadtofines,penalties,orinabilitytoprocesscreditcards,inadditiontopotential reputationalloss. ThePCIDSShassixcategorieswithtwelvetotalrequirementsasoutlinedbelow: VMwareProductApplicabilityGuide/6 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

7 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Figure3:PCIDataSecurityStandard+ ThePCISSCspecificallybeganprovidingformalizedguidanceforcloudandvirtualenvironmentsinOctober,2010. Theseguidelineswerebasedonindustryfeedback,rapidadoptionofvirtualizationtechnology,andthemovetocloud computingenvironments.version3.0(andversion2.0)ofthedatasecuritystandard(dss)specificallymentions theterm virtualization (previousversionsdidnotusetheword virtualization ).Thiswasfollowedbyanadditional documentexplainingtheintentbehindthepcidssv2.0, NavigatingPCIDSS.Thesedocumentswereintendedto clarifythatvirtualcomponentsshouldbeconsideredas components forpci,butdidnotgointothespecificdetails andrisksrelatingtovirtualenvironments.instead,theyaddressvirtualandcloudspecificguidanceinaninformation Supplement, PCIDSSVirtualizationGuidelines, releasedinjune2011bythepcissc svirtualizationspecial InterestGroup(SIG). Figure4:NavigatingPCIDSS+ Theexistingvirtualizationsupplementwaswrittentoaddressabroadsetofusers(fromsmallretailerstolargecloud providers)andremainsproductagnostic(nospecificmentionsofvendorsandtheirsolutions). Note:VMwaresolutionsaredesignedtohelporganizationsaddressvariousregulatorycompliancerequirements. ThisdocumentisintendedtoprovidegeneralguidancefororganizationsthatareconsideringVMwaresolutionsto helpthemaddresssuchrequirements.vmwareencouragesanyorganizationthatisconsideringvmwaresolutionsto engageappropriatelegal,business,technical,andauditexpertisewithintheirspecificorganizationforreviewof regulatorycompliancerequirements.itistheresponsibilityofeachorganizationtodeterminewhatisrequiredtomeet anyandallrequirements.theinformationcontainedinthisdocumentisforeducationalandinformationalpurposes only.thisdocumentisnotintendedtoprovidelegaladviceandisprovided ASIS.VMwaremakesnoclaims, VMwareProductApplicabilityGuide/7 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

8 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) promisesorguaranteesabouttheaccuracy,completeness,oradequacyoftheinformationcontainedherein.nothing thatyoureadinthisdocumentshouldbeusedasasubstitutefortheadviceofcompetentlegalcounsel. SummaryofRelevantChangesfromPCIDSS2.0to3.0 WiththerecentreleaseofthePCIDSS(DataSecurityStandard)3.0,whilelittleadditionalguidancehasbeenreleased with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design & operational considerations above and beyond those which were required for compliancewiththepcidss2.0.itshouldbenotedthatnoneofthenewpcidss3.0requirementsorconsiderations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements,andclarifications.anupdated NavigatingPCIDSS documentforversion3.0hasnotbeenreleased bythepcissc(securitystandardscouncil)asofthetimeofthiswriting. WitheveryiterationofthePCIDSSandtheassociatedchanges&updates,particularlywhennewrequirementsare presented,organizationsaregivenadditionaltimetoimplementthesecontrolsthroughthe Sunrise process.while entitiescanchoosetomanagetheircardholderdataenvironmentsunderthepcidss2.0upuntildecember31, 2014,afterwhichallPCIDSSprogramsandauditsmustadheretoversion3.0.Additionally,manyofthenew requirementsunderthepcidss3.0areconsideredbestpracticesuntiljuly1,2015,givingorganizationsadditional timetopreparetomeetthesenewrequirementsinanappropriatemanner. Figure5:PCIDSS3.0ChangesandUpdates ManyofthenewcontrolsandchangesinPCIDSS3.0reflectthegrowingmaturityofthePaymentCardIndustry,and theneedtofocusmoreonariskybasedapproachanddealwiththethreatsandassociatedriskswhichmost commonlyleadtoincidentsinvolvingthecompromiseofcardholderdata.alongwiththenewcontrolsandfocus areas,version3.0providespciorganizationsandassessorswithadditionalguidanceandflexibilityaround designing,implementing,andvalidatingtherequisitepcidsscontrols.itshouldalsobenotedthatwithincreased guidanceandflexibilityinthestandardandindividualcontrols,agreatlyincreasedlevelofstringencyisrequiredin thevalidationofthosecontrolsandtheriskybasedapproachtomanagingpcidssrequirements.atahighlevel,the updatestoversion3.0ofthedssinclude: Providingstrongerfocusonsomeofthegreaterriskareasinthethreatenvironment ProvidingincreasedclarityonPCIDSS&PAYDSSrequirements Buildinggreaterunderstandingontheintentoftherequirementsandhowtoapplythem Improvingflexibilityforallentitiesimplementing,assessing,andbuildingtotheStandards Drivingmoreconsistencyamongassessors Helpingmanageevolvingrisks/threats Aligningwithchangesinindustrybestpractices VMwareProductApplicabilityGuide/8 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

9 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Clarifyingscopingandreporting EliminatingredundantsubYrequirementsandconsolidatedocumentation WealsohaveseveralkeythemesaroundmanagingPCIDSS3.0andtakingaproactivebusinessYasYusualapproach toprotectingcardholderdata,andfocusingprimarilyonsecurity,asopposedtopurecompliance,whichhavebeen updatedinthelatestversion,andforwhichthepcisecuritystandardscouncilhasprovidedguidance.the followingguidancehasbeenreleasedbythecouncilregardingthesehighylevelconceptsandhowtheyapplytopci DSS3.0.Fromthe PCIDSSVersion3.0ChangeHighlights document: Educationandawareness Lackofeducationandawarenessaroundpaymentsecurity,coupledwithpoorimplementationandmaintenance ofthepcistandards,givesrisetomanyofthesecuritybreacheshappeningtoday.updatestothestandardsare gearedtowardshelpingorganizationsbetterunderstandtheintentofrequirementsandhowtoproperly implementandmaintaincontrolsacrosstheirbusiness.changestopcidssandpaydsswillhelpdrive educationandbuildawarenessinternallyandwithbusinesspartnersandcustomers. Increasedflexibility ChangesinPCIDSS3.0focusonsomeofthemostfrequentlyseenrisksthatleadtoincidentsofcardholder datacompromise suchasweakpasswordsandauthenticationmethods,malware,andpoorselfydetection providingaddedflexibilityonwaystomeettherequirements.thiswillenableorganizationstotakeamore customizedapproachtoaddressingandmitigatingcommonrisksandproblemareas.atthesametime,more rigoroustestingproceduresforvalidatingproperimplementationofrequirementswillhelporganizationsdriveand maintaincontrolsacrosstheirbusiness. Securityasasharedresponsibility Securingcardholderdataisasharedresponsibility.Today spaymentenvironmenthasbecomeevermore complex,creatingmultiplepointsofaccesstocardholderdata.changesintroducedwithpcidssfocuson helpingorganizationsunderstandtheirentities PCIDSSresponsibilitieswhenworkingwithdifferentbusiness partnerstoensurecardholderdatasecurity. VMwareProductApplicabilityGuide/9 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

10 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/10 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ThefollowingtablepresentsthehighYlevelsummaryofspecificchanges,updates,andclarificationsfromPCIDSS 2.0to3.0: GENERALCHANGESIMPLEMENTEDTHROUGHOUTTHEPCIDSSREQUIREMENTS TYPE Newcolumntodescribetheintentofeachrequirement,withcontentderivedfromformerNavigatingPCI DSSguidancedocument. Theguidanceinthiscolumnisintendedtoassistunderstandingofthe requirementsanddoesnotreplaceorextendthepcidssrequirementsandtestingprocedures. Additional Guidance Forthesecuritypoliciesanddailyoperationalprocedures(formerlyrequirements12.1.1and12.2),assigneda newrequirementnumberandmovedrequirementsandtestingproceduresintoeachofrequirements1y11. Clarification Updatedlanguageinrequirementsand/orcorrespondingtestingproceduresforalignmentandconsistency. Clarification Separatedcomplexrequirements/testingproceduresforclarityandremovedredundantoroverlapping testingprocedures. Clarification Enhancedtestingprocedurestoclarifylevelofvalidationexpectedforeachrequirement. Clarification Othergeneraleditingchangesinclude: Removedthefollowingcolumns: InPlace, NotinPlace and TargetDate/Comments. Renumberedrequirementsandtestingprocedurestoaccommodatechanges Reformattedrequirementsandtestingproceduresforreadability e.g.contentfromparagraphreformattedtobulletpoints,etc. Mademinorwordingchangesthroughoutforreadability Correctedtypographicalerrors Table1:GeneralChangesImplementedThroughoutthePCIDSSRequirements Table2outlinesthesummarychangesfromPCIDSSversion2.0toversion3.0. SECTION CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 PCIDSSApplicability Information PCIDSSApplicability Information ClarifiedthatSADmustnotbestoredafterauthorization evenifthereisnopanintheenvironment. Clarification Relationshipbetween PCIDSSandPAYDSS Relationshipbetween PCIDSSandPAYDSS Clarifiedthatallapplicationsthatstore,process,or transmitcardholderdataareinscopeforanentity spci DSSassessment,evenifPAYDSSvalidated. ClarifiedPCIDSSapplicabilitytopaymentapplication vendors. Clarification ScopeofAssessment forcompliancewithpci DSSRequirements ScopeofPCIDSS Requirements Addedexamplesofsystemcomponents,andadded guidanceabouthowtoaccuratelydeterminethescope oftheassessment. Clarifiedtheintentofsegmentation. Clarifiedresponsibilitiesofboththethirdpartyandtheir customersforscopingandcoverageofpcidss requirements,andclarifiedtheevidencethatthirdparties areexpectedtoprovidefortheircustomerstobeableto verifythescopeofthethirdparty spcidss assessment. Additional Guidance

11 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/11 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. SECTION CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 ImplementingPCIDSS intobusinessyasyusual Processes Newsectiontoprovide businessasusual guidancefor implementingsecurityintobusinessyasyusual(bau) activitiestomaintainonygoingpcidsscompliance. Notethatthissectionincludesrecommendationsand guidanceonly,notnewpcidssrequirements. Additional Guidance AssessmentProcedures AddednewheadingtoseparatePCIDSSscoping sectionfromsamplingsection. Clarification SamplingofBusiness Facilities/System Components ForAssessors:Sampling ofbusiness Facilities/System Components Enhancedsamplingguidanceforassessors. Additional Guidance InstructionsandContent forreporton Compliance InstructionsandContent forreporton Compliance Formercontentrelocatedtoseparatedocuments PCI DSSROCTemplateandPCIDSSROCReporting Instructions. Clarification PCIDSSCompliance CompletionSteps PCIDSSAssessment Process Updatedsectiontofocusonassessmentprocessrather thandocumentation. Clarification DetailedPCIDSS Requirementsand SecurityAssessment Procedures DetailedPCIDSS Requirementsand SecurityAssessment Procedures Atthestartofthissection,addedlanguagetodefinethe columnheadingsinthissection,andremovedreferences to InPlace, NotInPlace and Target Date/Comments columns. Clarification Table2:SummaryChanges Table3outlinestherequirementchangesfromPCIDSSversion2.0toversion3.0 REQUIREMENT CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 PCIDSSGREQUIREMENT1 1.1.x 1.1.x Clarifiedthatfirewallandrouterstandardshavetobebothdocumented andimplemented. Clarification Clarifiedwhatthenetworkdiagrammustincludeandaddednew requirementat1.1.3foracurrentdiagramthatshowscardholderdata flows. Evolving Requirement Clarifiedexamplesofinsecureservices,protocols,andportstospecify SNMPv1andv2. Clarification Clarifiedthattheintentofsecuringrouterconfigurationfilesistosecure themfromunauthorizedaccess. Clarification Clarifiedthattheintentofcontrollingtrafficbetweenwirelessnetworksand thecdeisto permitonlyauthorizedtraffic. Clarification ClarifiedtheintentoftherequirementisthatantiYspoofingmeasures areimplementedtodetectandblockforgedsourceipaddresses fromenteringthenetwork. Clarification Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. Clarification PCIDSSGREQUIREMENT2

12 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV CHANGE Clarifiedthatrequirementforchangingvendordefaultpasswordsapplies toalldefaultpasswords,includingsystems,applications,security software,terminals,etc.andthatunnecessarydefaultaccountsare removedordisabled. Clarifiedthattheintentoftherequirementisforallwirelessvendor defaultstobechangedatinstallation. Clarifiedthatsystemconfigurationstandardsincludeproceduresfor changingofallvendorysupplieddefaultsandunnecessarydefault accounts. Splitrequirementat2.2.2intotworequirementstofocusseparately onnecessaryservices,protocolsandports(2.2.2),andsecure services,protocols,andports(2.2.3). TYPE Clarification Clarification Clarification Clarification 2.4 Newrequirementtomaintainaninventoryofsystemcomponentsin scopeforpcidsstosupportdevelopmentofconfigurationstandards. Evolving Requirement PCIDSSGREQUIREMENT Combinedrequirement3.1.1andtestingproceduresinto requirement3.1toclarifyandreduceredundancy. Clarification Clarified,ifsensitiveauthenticationdataisreceived,thatitisrendered unrecoverableuponcompletionoftheauthorizationprocess.clarified testingproceduresforcompaniesthatsupportissuingservicesandstore sensitiveauthenticationdata. ClarifiedintentofrequirementformaskingPANsbyconsolidating formernoteintobodyoftherequirement,andenhancingtesting procedures. Clarifiedthatlogicalaccessfordiskencryptionmustbemanaged separatelyandindependentlyofthenativeoperatingsystem authenticationandaccesscontrolmechanisms,andthatdecryption keysmustnotbeassociatedwithuseraccounts. Clarifiedthatkeymanagementprocedureshavetobeboth implementedanddocumented. Clarification Clarification Clarification Clarification Splitrequirement3.5.2intotworequirementstofocusseparatelyon storingcryptographickeysinasecureform(3.5.2),andinthefewest possiblelocations(3.5.3).requirement3.5.2alsoprovidesflexibility withmoreoptionsforsecurestorageofcryptographickeys. Clarification 3.6.x 3.6.x Addedtestingprocedurestoverifyimplementationof cryptographickeymanagementprocedures. Clarification Clarifiedprinciplesofsplitknowledgeanddualcontrol. Clarification PCIDSSGREQUIREMENT Requirement5YGeneral Alignedlanguagebetweenrequirementandtestingproceduresfor consistency.alsoexpandedtheexamplesofopen,publicnetworks. PCIDSSGREQUIREMENT5 Titleupdatedtoreflectintentoftherequirement(toprotectallsystems againstmalware). Clarification Clarification VMwareProductApplicabilityGuide/12 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

13 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) REQUIREMENT PCIDSSV2.0 PCIDSSV x 6.5.x CHANGE Newrequirementtoevaluateevolvingmalwarethreatsforany systemsnotconsideredtobecommonlyaffectedbymalicious software. Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. NewrequirementtoensurethatantiYvirussolutionsareactivelyrunning (formerlyin5.2),andcannotbedisabledoralteredbyusersunless specificallyauthorizedbymanagementonaperycasebasis. PCIDSSGREQUIREMENT6 Switchedtheorderofrequirements6.1and6.2.Requirement6.1isnow foridentifyingandriskrankingnewvulnerabilitiesand6.2isforpatching criticalvulnerabilities.clarifiedhowriskrankingprocess(6.1)alignswith patchingprocess(6.2). Seeaboveexplanationfor6.1.Also,clarifiedthatthis requirementappliesto applicable patches. Addedanotetoclarifythattherequirementforwrittensoftware developmentprocessesappliestoallinternallyydevelopedsoftware andbespokesoftware. Changed preyproduction to development/test toclarify intentofrequirement Enhancedtestingprocedurestoincludedocumentreviewsforall requirementsat6.4.1through Alignedlanguagebetweenrequirementandtestingprocedurestoclarify thatseparationofproduction/developmentenvironmentsisenforcedwith accesscontrols. Updateddevelopertrainingtoincludehowtoavoidcommoncoding vulnerabilities,andtounderstandhowsensitivedataishandledin memory. Updatedrequirementstoreflectcurrentandemergingcoding vulnerabilitiesandsecurecodingguidelines.updatedtesting procedurestoclarifyhowthecodingtechniquesaddressthe vulnerabilities. Newrequirementforcodingpracticestoprotectagainstbroken authenticationandsessionmanagement. EffectiveJuly1,2015 Increasedflexibilitybyspecifyingautomatedtechnicalsolutionthat detectsandpreventswebnbasedattacksratherthan webyapplication firewall. Addednotetoclarifythatthisassessmentisnotthesameas vulnerabilityscansrequiredat11.2. PCIDSSGREQUIREMENT7 TYPE Evolving Requirement Clarification Evolving Requirement Clarification Clarification Clarification Clarification Clarification Clarification Clarification Clarification Evolving Requirement Clarification Rewordedtestingproceduretoclarifywhatthepolicyincludes,based onchangestorequirements7.1.1through New7.1.1tocoverdefinitionofaccessneedsforeachrole,tosupport requirements7.1.2through RefocusedrequirementonrestrictionofprivilegeduserIDstoleast privilegesnecessary,andenhancedtestingprocedures. Refocusedrequirementonassignmentofaccessbasedonindividual sjob classificationandfunction. Clarification Clarification Clarification Clarification VMwareProductApplicabilityGuide/13 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

14 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE TYPE Removedformerrequirement7.1.4(coveredinRequirement7.2) Clarification PCIDSSGREQUIREMENT8 Requirement8YGeneral Titleupdatedtoreflectintentoftherequirement(identifyandauthenticate allaccesstosystemcomponents). Updatedandreorganizedrequirementstoprovideamoreholistic approachtouserauthenticationandidentification: Focused8.1onuseridentification Focused8.2onuserauthentication o Updatedrequirementstoconsidermethodsofauthentication otherthanpasswords o Changed passwords to passwords/phrases where requirementonlyappliestopasswords/phrases o Changed passwords to authenticationcredentials where requirementappliestoanytypeofauthenticationcredential o Clarifiedthatpasswordsecurityrequirementsapplyto accountsusedbythirdpartyvendors Clarification Clarifiedtherequirementforremotevendoraccessappliestovendors whoaccess,supportormaintainsystemcomponents,andthatitshould bedisabledwhennotinuse. Clarifiedthatstrongcryptographymustbeusedtorenderauthentication credentialsunreadableduringtransmissionandstorage. Clarifiedthatuseridentifymustbeverifiedbeforemodifying authenticationcredentials,andaddedprovisioningnewtokensand generatingnewkeysasexamplesofmodifications. Clarification Clarification Clarification Combinedminimumpasswordcomplexityandstrengthrequirementsinto singlerequirement,andincreasedflexibilityforalternativesthatmeetthe equivalentcomplexityandstrength. Evolving Requirement ClarifiedrequirementfortwoYfactorauthenticationappliestousers, administrators,andallthirdparties,includingvendoraccessforsupport ormaintenance. Enhancedrequirementtoincludedocumentingandcommunicating guidanceforhowusersshouldprotecttheirauthenticationcredentials, includingpassword/phrasereuseandchangingpassword/phraseifthere issuspicionthatithasbeencompromised. Newrequirementforserviceproviderswithremoteaccesstocustomer premises,touseuniqueauthenticationcredentialsforeachcustomer. EffectiveJuly1,2015 Clarification Clarification Evolving Requirement 8.6 Newrequirementwhereotherauthenticationmechanismsareused(for example,physicalorlogicalsecuritytokens,smartcards,certificates, etc.)thatthemechanismsmustbelinkedtoanindividualaccountand ensureonlytheintendedusercangainaccesswiththatmechanism. Evolving Requirement Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. Clarification VMwareProductApplicabilityGuide/14 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

15 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE PCIDSSGREQUIREMENT9 TYPE Clarifiedintentoftherequirementistoimplementphysicaland/or logicalaccesscontrolstoprotectpublicallyyaccessiblenetworkjacks. Clarification 9.2.x 9.2.x Clarifiedtheintentoftherequirementtoidentify,distinguishbetween, andgrantaccesstoonsitepersonnelandvisitors,andthatbadgesare justoneoption(theyarenotrequired). Clarification 9.3 Newrequirementtocontrolphysicalaccesstosensitiveareasforonsite personnel,includingaprocesstoauthorizeaccess,andrevokeaccess immediatelyupontermination. Evolving Requirement 9.3.x 9.4.x Alignedlanguagebetweenrequirementandtestingproceduresfor consistencyandtoclarifythatvisitorsmustbeescortedatalltimes, andthattheaudittrailofvisitoractivitymustincludeaccesstothe facility,computerroom,and/ordatacenter. Clarification Formerrequirement9.6movedandrenumberedto9.5,andformer requirement9.5renumberedassubyrequirement Formerrequirement9.7renumberedto9.6,andformerrequirement 9.8renumberedassubYrequirement Formerrequirement9.9renumberedto9.7,andformerrequirement 9.10renumberedto9.8. Clarification 9.9.x Newrequirementstoprotectdevicesthatcapturepaymentcarddata viadirectphysicalinteractionwiththecardfromtamperingand substitution. EffectiveJuly1,2015 PCIDSSGREQUIREMENT10 Clarifiedthataudittrailsshouldbeimplementedtolinkaccessto systemcomponentstoeachindividualuser,ratherthanjust establishingaprocess. Clarifiedtheintentisforallindividualuseraccesstocardholder datatobeincludedintheaudittrails. Enhancedrequirementtoincludechangestoidentificationand authenticationmechanisms(includingcreationofnewaccounts,elevation ofprivileges),andallchanges,additionsanddeletionstoaccountswith rootoradministrativeaccess. Evolving Requirement Clarification Clarification Evolving Requirement Enhancedrequirementtoincludestoppingorpausingoftheauditlogs x PCIDSSGRequirement x 11.1.x Clarifiedtheintentoflogreviewsistoidentifyanomaliesorsuspicious activity,andprovidedmoreguidanceaboutscopeofdailylogreviews. Alsoallowedmoreflexibilityforreviewofsecurityeventsandcritical systemlogsdailyandotherlogseventsperiodically,asdefinedbythe entity sriskmanagementstrategy. Enhancedrequirementtoincludeaninventoryofauthorizedwireless accesspointsandabusinessjustification(11.1.1)tosupportscanning forunauthorizedwirelessdevices,andaddednewrequirement toalignwithanalreadyyexistingtestingprocedure,forincident responseproceduresifunauthorizedwirelessaccesspointsare detected. Evolving Requirement Clarification Evolving Requirement VMwareProductApplicabilityGuide/15 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

16 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) REQUIREMENT PCIDSSV2.0 PCIDSSV CHANGE Addedguidanceoncombiningmultiplescanreportsinordertoachieve anddocumentapassingresult. Clarifiedthatquarterlyinternalvulnerabilityscansincluderescansas neededuntilall high vulnerabilities(asidentifiedbypcidss Requirement6.1)areresolved,andmustbeperformedbyqualified personnel. Clarifiedthatexternalvulnerabilityscansincluderescansasneeded untilpassingscansareachieved,andaddedanotetorefertotheasv ProgramGuide. TYPE Additional Guidance Clarification Clarification Clarifiedthatinternalandexternalscansperformedaftersignificant changesincluderescansasneededuntilall high vulnerabilities(as identifiedbypcidssrequirement6.1)areresolved,andmustbe performedbyqualifiedpersonnel. Clarification 11.3 Newrequirementtoimplementamethodologyfor penetrationtesting. EffectiveJuly1,2015.PCIDSSv2.0requirementsforpenetration testingmustbefolloweduntilv3.0isinplace. Evolving Requirement Splitformerrequirement11.3into11.3.1forexternalpenetration testingrequirementsand11.3.2forinternalpenetrationtesting requirements. Clarification Newrequirementcreatedfromformertestingprocedure(11.3.b)to correctexploitablevulnerabilitiesfoundduringpenetrationtestingand repeattestingtoverifycorrections. Clarification Newrequirement,ifsegmentationisusedtoisolatetheCDEfromother networks,toperformpenetrationteststoverifythatthesegmentation methodsareoperationalandeffective.. Evolving Requirement IncreasedflexibilitybyspecifyingintrusionNdetectionand/orintrusion preventiontechniquestodetectand/orpreventintrusionsinthenetwork ratherthan intrusionydetectionsystemsand/orintrusionyprevention systems. Increasedflexibilitybyspecifyingchangedetection mechanismratherthan fileintegritymonitoring. Clarification Clarification Newrequirementtoimplementaprocesstorespondtoanyalerts generatedbythechangeydetectionmechanism(supports11.5) PCIDSSGREQUIREMENT12 Evolving Requirement ,2.5, 3.7,4.3, 5.4,6.7, 7.3,8.8, 9.10,10.8, 11.6 Combinedformerrequirementsat12.1.1(fortheinformationsecurity policytoaddressallpcidssrequirements)and 12.2(foroperationalsecurityprocedures),andmovedtheminto Requirements1through11,asarequirementineach. Clarification Movedformerrequirement12.1.3to Clarification Movedformerrequirement12.1.2foranannualriskassessmentprocess to12.2,andclarifiedthattheriskassessmentshouldbeperformedat leastannuallyandaftersignificantchangestotheenvironment. Evolving Requirement VMwareProductApplicabilityGuide/16 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

17 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE TYPE Clarifiedthat labeling isanexampleofamethodtobeused. Clarification Newtestingproceduretoverifypolicyisimplementedfor disconnectingremoteaccesssessionsafteraspecificperiodof inactivity. Alignedlanguagebetweenrequirementandtestingproceduresto clarifythat,wherethereisanauthorizedbusinessneedforpersonnelto accesscardholderdataviaremoteyaccesstechnologies,thedatamust beprotectedinaccordancewithallapplicablepcidssrequirements. Clarification Clarification Clarifiedintenttoimplementandmaintainpoliciesandproceduresto manageserviceproviderswithwhichcardholderdataisshared,orthat couldaffectthesecurityofcardholderdata. Clarification Clarifiedtheapplicableresponsibilitiesfortheserviceprovider swritten agreement/acknowledgement. NewrequirementtomaintaininformationaboutwhichPCIDSS requirementsaremanagedbyeachserviceprovider,andwhichare managedbytheentity. Newrequirementforserviceproviderstoprovidethewritten agreement/acknowledgmenttotheircustomersasspecifiedat requirement12.8. EffectiveJuly1,2015 Clarification Evolving Requirement Evolving Requirement 12.9.x x Renumberedrequirementandupdated toclarifytheintentisfor alertsfromsecuritymonitoringsystemstobeincludedintheincident responseplan. Clarification Table3:RequirementChanges VMwareProductApplicabilityGuide/17 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

18 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) CloudComputing Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomove applicationsandevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloud computing. Thereareavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsare importantastheyserveasthebasisformakingbusiness,security,andauditdeterminations.vmwaredefinescloud orutilitycomputingasthefollowing( CloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofonNdemand,selfNmanaged virtualinfrastructure,consumedasaservice.sometimesknownasutilitycomputing,cloudsprovideasetof typicallyvirtualizedcomputerswhichcanprovideuserswiththeabilitytostartandstopserversorusecompute cyclesonlywhenneeded,oftenpayingonlyuponusage.. Figure6:CloudComputing Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveralgenerally acceptedservicemodels.thesedefinitionsarelistedbelow: PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonpremiseoroffypremise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroupandis ownedbyanorganizationthatsellscloudservices. HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)thatremain uniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplicationportabilityr forexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,anorganizationgetsthebest VMwareProductApplicabilityGuide/18 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

19 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/19 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneededwhilemaintainingcriticalassetsony premise. CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonypremiseoroffpremise. CloudGBased EndUserComputing CloudYBasedEndUserComputinginfrastructureisbasedonan underlyingcloudinfrastructuremodel,andprovidesfororganizationstoleverageanyofthepreviouslydescribed cloudinfrastructuremodelstodeliverenduserdesktops,mobiledevice&contentmanagement,andsecure accesstodata&applications. TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: VMwareCloudComputingOverview VMware svcloudarchitecturetoolkit Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtotheirhighlyregulatedandcritical applications,theymaywanttostartbyasking: Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? Whatservicemodelisusedforthecardholderdataenvironment(SaaS,PaaS,andIaaS)? Whatdeploymentmodelwillbeadopted? Isthecloudplatformatrustedplatform? Thelastpointiscriticalwhenconsideringmovinghighlyregulatedapplicationstoacloudplatform.PCIdoesnot endorseorprohibitanyspecificserviceanddeploymentmodel.theappropriatechoiceofserviceanddeployment modelsshouldbedrivenbycustomerrequirements,andthecustomer schoiceshouldincludeacloudsolutionthatis implementedusingatrustedplatform. VMwareisthemarketleaderinvirtualization,thekeyenablingtechnologyforcloudcomputing.VMware svcloud Suiteisthetrustedcloudplatformthatcustomersusetorealizethemanybenefitsofcloudcomputing,including safelydeployingbusinesscriticalapplications. IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram, WheretoStartGConsiderationsforManagement,ITandAuditors+ MigratingatraditionalITinfrastructuretoavirtualorcloudenvironmenthasasignificantimpactonanorganization thatextendsbeyondinformationtechnology.securityandcompliancecontinuetoremaintopconcernsfor management,itdepartments,andauditors.allthreeareasshouldberepresentedandengagedforanyit virtualizationorcloudprojectstoconfirmthatbusiness,itoperations,andcomplianceteamscarefullyconsiderthe benefitsandrisks.themovetocloudandvirtualenvironmentshasmanytechnicalconsiderations,butitshouldalso beabusinessdecision.organizationsshouldreviewthebenefitsandrisksoftheircurrentenvironmentandcompare themtothedifferentclouddeploymentmodelsandservicemodels. SpecifictoEUC,apreYexistingclouddeploymentisrequired.TheextensiontoEUCprovidestheabilitytobetter managemobileandremoteusers.thisfinalareaiskeybecauseitbringswithitaspecificfocusonaccesscontrol bothforusersanddata.organizationsdeployingeucshouldconsiderthedeliverymodelbecausethereissomuch flexibilityinpickingandchoosingthetechnologyandsupportingtherequisitecontrols. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofa virtualand/orcloudenvironment. VMwareGSpecificAssessmentConsiderations 1. WhatcertificationsdoesyourteamhaveinVMwareproductsorsolutions? 2. Areyouworkingwithanauditpartnertohelpassessandmanagerisk&complianceconsiderations? 3. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware?

20 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) 4. HowlonghavetheybeenworkingwithVMwarearchitectures? 5. Whatreferencesdotheyhaveforconductingsimilarassessments? 6. WhatpartsoftheEUCsolutionwillyoudeployanddoesthedesignleaveoutanycontrols? Management/BusinessConsiderations 1. CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2. HowarecompetitorsorpartnersleveragingCloudandvirtualization? 3. WhatisthebusinessvaluethatCloudcoulddelivertoOperations? 4. WhatisthestrategicvaluethatCloudcoulddelivertotheCompany? 5. IstheITBudgetexpandingorcontracting? 6. WhataretheareaswhereCloudcanprovideadditionalvaluetothecompany? 7. ArethereeffortstoconsolidateITfunctionsthatcanbeaddressedwithCloud? 8. WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1. HowdoIToperationalprocessesaddress&supportthecompany sstrategicandoperationalgoals? 2. Whatmanualprocessesareinplacethatcanbeautomated? 3. WhataretheskillsandcapabilitiesoftheITDepartment? 4. Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5. WhichITinitiativescurrentlyunderwaycouldaffectthescopeoftheCardholderDataEnvironment? 6. Howisencryptionandtokenizationcurrentlyusedtolimitrisk? 7. Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourPCIdataresides)? 8. Aretheresecondarysystemsthatmighthavecreditcarddata(accounting,marketing)? 9. HowhassecurityandcomplianceaffectedITOperations? AuditConsiderations 1. Whatpriorexperiencedoestheauditorhavewithvirtualenvironments(QualifiedSecurityAssessor(QSA)or InternalSecurityAssessor(ISA))? 2. HastheQSAorISAsuccessfullyassessedPCIenvironmentsinthecloudorvirtualareas? 3. WhatcertificationsdotheyhaveinVMwareproductsorsolutions? 4. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 5. WhatthoughtleadershipandguidancehastheQSA/ISApublished? 6. WhataretherisksandmitigationtechniquestheQSA/ISAbelievesareappropriateformultiYtenancyormixedY modeenvironments? 7. HowlonghavetheybeenworkingwithVMwarearchitectures? 8. HavetheybeeninvolvedwiththePCISpecialInterestGrouporotherPCIcommunities? 9. Whatreferencesdotheyhaveforconductingsimilarassessments? 10. IstheQSA/ISAassignedtotheauditengagementcompanyknowledgeableaboutthebasiccomponents, systems,andsoftwareinavmwarecloud? GuidancefromthePaymentCardIndustrySecurityStandardsCouncil VMwareProductApplicabilityGuide/20 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.