VMware!Product!Applicability!Guide!for!! Payment!Card!Industry!Data!Security!Standard!

VMwareProductApplicabilityGuidefor PaymentCardIndustryDataSecurityStandard (PCIDSS)version3.0 February2014 V3.0 DESIGNDOCUMENT This is the first document in the Compliance Reference Architecture For PCI. You can find more information on the Framework and download the additional documents from the Resources TAB on VMware Solution Exchange here.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Table&of&Contents& & EXECUTIVE&SUMMARY'...'4 INTRODUCTION'...'5 OVERVIEW&OF&PCI&AS&IT&APPLIES&TO&CLOUD/VIRTUAL&ENVIRONMENTS'...'7 SUMMARY&OF&RELEVANT&CHANGES&FROM&PCI&DSS&2.0&TO&3.0'...'8 GUIDANCE&FROM&THE&PAYMENT&CARD&INDUSTRY&SECURITY&STANDARDS&COUNCIL'...'24 PCI&COMPLIANCE&STACK'...'30 VMWARE&PCI&REQUIREMENTS&MATRIX&(OVERVIEW)'...'31 VMWARE&PCI&REQUIREMENTS&MATRIX&(BY&PRODUCT&FAMILY)'...'33 VCLOUDINFRASTRUCTURE...33 VCLOUDNETWORKINGANDSECURITY...38 NSX...42 INFRASTRUCTUREMANAGEMENT...47 ENDUSERCOMPUTING...53 SUMMARY'...'57 VMWARE'PRODUCT'APPLICABILITY'GUIDE' 2 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Revision History Date Rev Author Comments Reviewers July 10, 2015 1.1 Jerry Breaud Formatting changes N/A February 24, 2014 1.0 Allen Shortnacy Initially Created Internal SME, Coalfire QSA Design Subject Matter Experts The following people provided key input into this design. Name Email Address Role/Comments Allen Shortnacy eshortnacy@vmware.com Partner Architect Noah Weisberger noah.weisberger@coalfire.com Director - Cloud, Virtualization & Mobile Practice VMWARE'PRODUCT'APPLICABILITY'GUIDE' 3 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMWARE'PRODUCT'APPLICABILITY'GUIDE' 4 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Executive&Summary& ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isapplicabletoalltypesenvironmentsthatStore,Process, ortransmitcardholderdata.thisincludesinformationsuchaspersonalaccountnumbers(pan),aswellasanyother informationthathasbeendefinedascardholderdatabythepcidss.cloudcomputingisnoexceptiontothepcidss auditprocess,andmanyofthecloud sadvantagesoverearlierparadigmsppsharingofresources,workloadmobility, consolidatedmanagementplane,etc. themselvesnecessitatethatadequatecontrolsareadoptedtohelpmeetthepci DSSaudit.PCIconsiderationsareessentialforassessorstohelptounderstandwhattheymightneedtoknowaboutan environmentinordertobeabletodeterminewhetherapcidssrequirementhasbeenmet.ifpaymentcarddatais stored,processedortransmittedinacloudenvironment,pcidsswillapplytothatenvironment,andwilltypicallyinvolve validationofboththeinfrastructureandtheapplicationsrunninginthatenvironment. ManyenterprisecomputingenvironmentsinvariousverticalindustriesaresubjecttoPCIDSScompliance,andgenerally thosethatdealinanykindoffinancialtransactionforexchanginggoodsandservicesrelyonvmwareandvmware TechnologyPartnersolutionstodeliverthoseenterprisecomputingenvironments.Assuch,theseenterprisesseekwaysto reduceoverallitbudgetwhilemaintaininganappropriateoverallriskposturefortheinpscopeenvironment.oneofthe greatestchallengesinhostingthenextgenerationenterprisecomputingenvironmentisconsolidatingmanymodesoftrust requiredsuchasthoserequiredforacardholderdataenvironment(cde)andanonpcardholderdataenvironment. ForthesereasonsVMwarehasenlisteditsAuditPartnerssuchasCoalfire,aPCIDSSPapprovedQualifiedSecurity Assessor,toengageinaprogrammaticapproachtoevaluateVMwareproductsandsolutionsforPCIDSScontrol capabilitiesandthentodocumentthesecapabilitiesinasetofreferencearchitecturedocuments.thefirstofthese documentsisthisproductapplicabilityguide,whichcontainsamappingofthevmwareproductsandfeaturesthatshould beconsideredforimplementingpcidsscontrols.thenexttwodocumentsthat,togetherwiththisguide,comprisethe PCIDSSReferenceArchitecturearetheArchitectureDesignGuideandtheValidatedReferenceArchitecture,whichwill provideguidanceontheconsiderationstobemadewhendesigningavcloudenvironmentforpcidssaswellasalab validationexerciseanalyzinganinstanceofthisreferencearchitecturewhichutilizestheconceptsandapproachesoutlined therein.formoreinformationonthesedocumentsandthegeneralapproachtocomplianceissuespleasereviewvmware's ApproachtoCompliance. Inaddition,VMwareandCoalfireareengagedwithVMwareTechnologyPartnerstoanalyzetheirproductsandsolutions (availableonvmwaresolutionexchange)withthegoalofprovidingcontinuingexamplestotheindustry.inanongoing effort,vmwareandcoalfirewillutilizethisinformationtocreatenew"joint"referencearchitecturesbasedonthevmware ReferenceArchitectureforPCIDSSwherepartnerproductsandsolutionsarecombinedandauditorvalidatedtofurther easeadoptionforcio s,itmanagers,architects,itauditorsandsecuritypractitionersinvolvedwithavmwarevcloud Suite5.5basedCloudComputingArchitecture.SeeFigure2inthisdocumentfortheComplianceSolutionCategories. Thisstudyinvestigateddifferentapplicationsavailabletoorganizationsthatuse(orareconsideringusing)virtualizationand cloudtosupportamixedpmodevirtualenvironment.tothatend,coalfirehighlightedthespecificpcidssrequirements theseapplicationsaddress,andrecommendsanapproachfororganizationsandtheirqsa sorinternalsecurityassessors (ISA s)totesttheircompliancewithpcidssv.3.0.ithasbeenreviewedandauthoredbyourstaffofqualifiedsecurity AssessorsinconjunctionwithVMware. If&you&have&any&comments&regarding&this&whitepaper,&we&welcome&any&feedback&at&vmware@coalfire.com&or& compliancezsolutions@vmware.com.&&& &

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) & & Introduction& Complianceandsecuritycontinuetobetopconcernsfororganizationsthatplantomoveanyoralloftheirenvironmentto cloudcomputing.vmwarehelpsorganizationsaddressthesechallengesbyprovidingbundledsolutions(suites)thatare designedforspecificusecases.theseusecasesaddressquestionslike HowtobePCIcompliantinaVMwarePrivate Cloud byprovidinghelpfulinformationforvmwarearchitects,thecompliancecommunity,andthirdparties. The2013PCIPrivateCloudUseCaseisfocusedonenterpriseswishingtobuildoutaprivatecloudcomputing environmentforhostingapplicationsthatmaybesubjecttoapcidssaudit.thisguideisfocusedon5groupsof technologiesusedtobuildarchitecturesandoperatingmodelsinordertosupportthisgoal.those5groupsarecloud Infrastructure,CloudInfrastructureManagement,CloudNetworkingandSecurity,NetworkandSecurityVirtualizationand EndUserComputing.ThePrivateCloudUseCasealsoprovidesreaderswithamappingofthespecificPCI3.0controlsto VMware sproductsuites,products,andpartnersolutionscontainedinthose5groups.whileeverycloudisunique, VMware'and'its'partners'can'provide'a'solution'that'can'potentially'address'over'70%'of'the'PCI'DSS'technical' requirements. Figure&1:&PCI&Requirements& & & VMWARE'PRODUCT'APPLICABILITY'GUIDE' 5 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Figure&2:&VMware&+&Partner&Product&Capabilities&for&a&Trusted&Cloud& ' & VMWARE'PRODUCT'APPLICABILITY'GUIDE' 6 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Overview&of&PCI&as&it&applies&to&Cloud/Virtual&Environments& ThePCISecurityStandardsCouncil(SSC)wasestablishedin2006byfiveglobalpaymentbrands(AmericanExpress, DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.).Thepaymentbrandsrequire throughtheiroperatingregulationsthatanymerchantorserviceprovidermustbepcicompliant.merchantsandservice providersarerequiredtovalidatetheircompliancebyassessingtheirenvironmentagainstnearly300specifictestcontrols outlinedinthepaymentcardindustrydatasecuritystandards(dss).failuretomeetpcidssrequirementsmayleadto fines,penalties,orinabilitytoprocesscreditcards,inadditiontopotentialreputationalloss. ThePCIDSShassixcategorieswithtwelvetotalrequirementsasoutlinedbelow: Table&1:&PCI&Data&Security&Standard& ThePCISSCspecificallybeganprovidingformalizedguidanceforcloudandvirtualenvironmentsinOctober,2010.These guidelineswerebasedonindustryfeedback,rapidadoptionofvirtualizationtechnology,andthemovetocloudcomputing environments.version3.0(andversion2.0)ofthedatasecuritystandard(dss)specificallymentionstheterm virtualization (previousversionsdidnotusetheword virtualization ).Thiswasfollowedbyanadditionaldocument explainingtheintentbehindthepcidssv2.0, NavigatingPCIDSS.Thesedocumentswereintendedtoclarifythat virtualcomponentsshouldbeconsideredas components forpci,butdidnotgointothespecificdetailsandrisksrelating tovirtualenvironments.instead,theyaddressvirtualandcloudspecificguidanceinaninformationsupplement, PCIDSS VirtualizationGuidelines, releasedinjune2011bythepcissc svirtualizationspecialinterestgroup(sig). VMWARE'PRODUCT'APPLICABILITY'GUIDE' 7 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Figure&3:&Navigating&PCI&DSS&& Theexistingvirtualizationsupplementwaswrittentoaddressabroadsetofusers(fromsmallretailerstolargecloud providers)andremainsproductagnostic(nospecificmentionsofvendorsandtheirsolutions). VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel Summary&of&Relevant&Changes&from&PCI&DSS&2.0&to&3.0& WiththerecentreleaseofthePCIDSS(DataSecurityStandard)3.0,whilelittleadditionalguidancehasbeenreleased withregardtovirtualizationspecifically,therehavebeenanumberofenhancementsandclarificationsthatmaypotentially havesignificantdesign&operationalconsiderationsaboveandbeyondthosewhichwererequiredforcompliancewiththe PCIDSS2.0.ItshouldbenotedthatnoneofthenewPCIDSS3.0requirementsorconsiderationsareinconsistentwithor materiallydifferentfromthosefoundinversion2.0,butratheraresimplyadditions,enhancements,andclarifications.an updated Navigating PCI DSS document for version 3.0 has not been released by the PCI SSC (Security Standards Council)asofthetimeofthiswriting. WitheveryiterationofthePDIDSSandtheassociatedchanges&updates,particularlywhennewrequirementsare presented,organizationsaregivenadditionaltimetoimplementthesecontrolsthroughthe Sunrise process.while VMWARE'PRODUCT'APPLICABILITY'GUIDE' 8 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMWARE'PRODUCT'APPLICABILITY'GUIDE' 9 ' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) entitiescanchoosetomanagetheircardholderdataenvironmentsunderthepcidss2.0untildecember31,2014atthe latest,afterthispointallpcidssprogramsandauditsmustadheretoversion3.0.additionally,manyofthenew requirementsunderthepcidss3.0areconsideredbestpracticesuntiljuly1,2015,givingorganizationsadditionaltime topreparetomeetthesenewrequirementsinanappropriatemanner. Figure&4:&PCI&DSS&3.0&Changes&and&Updates ManyofthenewcontrolsandchangesinPCIDSS3.0reflectthegrowingmaturityofthePaymentCardIndustry,andthe needtofocusmoreonariskpbasedapproachanddealwiththethreatsandassociatedriskswhichmostcommonlyleadto incidentsinvolvingthecompromiseofcardholderdata.alongwiththenewcontrolsandfocusareas,version3.0provides PCIorganizationsandassessorswithadditionalguidanceandflexibilityarounddesigning,implementing,andvalidatingthe requisitepcidsscontrols.itshouldalsobenotedthatwithincreasedguidanceandflexibilityinthestandardand individualcontrols,agreatlyincreasedlevelofstringencyisrequiredinthevalidationofthosecontrolsandtheriskpbased approachtomanagingpcidssrequirements.atahighlevel,theupdatestoversion3.0ofthedssinclude: Providingstrongerfocusonsomeofthegreaterriskareasinthethreatenvironment ProvidingincreasedclarityonPCIDSS&PAPDSSrequirements Buildinggreaterunderstandingontheintentoftherequirementsandhowtoapplythem Improvingflexibilityforallentitiesimplementing,assessing,andbuildingtotheStandards Drivingmoreconsistencyamongassessors Helpingmanageevolvingrisks/threats Aligningwithchangesinindustrybestpractices Clarifyingscopingandreporting EliminatingredundantsubPrequirementsandconsolidatedocumentation. WealsohaveseveralkeythemesaroundmanagingPCIDSS3.0andtakingaproactivebusinessPasPusualapproachto protectingcardholderdata,andfocusingprimarilyonsecurity,asopposedtopurecompliance,whichhavebeenupdatedin thelatestversion,andforwhichthepcisecuritystandardscouncilhasprovidedguidance.thefollowingguidancehas beenreleasedbythecouncilregardingthesehighplevelconceptsandhowtheyapplytopcidss3.0.fromthe PCIDSS Version3.0ChangeHighlights document:

VMWARE'PRODUCT'APPLICABILITY'GUIDE' 10' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Education'and'awareness'' Lack'of'education'and'awareness'around'payment'security,'coupled'with'poor'implementation'and' maintenance'of'the'pci'standards,'gives'rise'to'many'of'the'security'breaches'happening'today.' Updates'to'the'standards'are'geared'towards'helping'organizations'better'understand'the'intent'of' requirements'and'how'to'properly'implement'and'maintain'controls'across'their'business.'changes' to'pci'dss'and'pajdss'will'help'drive'education'and'build'awareness'internally'and'with'business' partners'and'customers.'' Increased'flexibility''' Changes'in'PCI'DSS'3.0'focus'on'some'of'the'most'frequently'seen'risks'that'lead'to' incidents'of'cardholder'data'compromise such'as'weak'passwords'and'authentication'methods,' malware,'and'poor'selfjdetection providing'added'flexibility'on'ways'to'meet'the'requirements.'this' will'enable'organizations'to'take'a'more'customized'approach'to'addressing'and'mitigating'common' risks'and'problem'areas.'at'the'same'time,'more'rigorous'testing'procedures'for'validating'proper' implementation'of'requirements'will'help'organizations'drive'and'maintain'controls'across'their' business.''' Security'as'a'shared'responsibility'' Securing'cardholder'data'is'a'shared'responsibility.'Today s'payment'environment'has'become'ever' more'complex,'creating'multiple'points'of'access'to'cardholder'data.'changes'introduced'with'pci' DSS'focus'on'helping'organizations'understand'their'entities 'PCI'DSS'responsibilities' when'working'with'different'business'partners'to'ensure'cardholder'data'security.''' ThefollowingtablepresentsthehighPlevelsummaryofspecificchanges,updates,andclarificationsfromPCIDSS2.0to 3.0: General&Changes:& General&changes&implemented&throughout&the&PCI&DSS&requirements Type Newcolumntodescribetheintentofeachrequirement,withcontentderivedfromformerNavigatingPCIDSS guidancedocument. Theguidanceinthiscolumnisintendedtoassistunderstandingoftherequirementsand doesnotreplaceorextendthepcidssrequirementsandtestingprocedures. Additional Guidance Forthesecuritypoliciesanddailyoperationalprocedures(formerlyrequirements12.1.1and 12.2),assignedanewrequirementnumberandmovedrequirementsandtestingproceduresintoeachof Requirements1P11. Updatedlanguageinrequirementsand/orcorrespondingtestingproceduresforalignmentandconsistency. Separatedcomplexrequirements/testingproceduresforclarityandremovedredundantoroverlapping testingprocedures. Enhancedtestingprocedurestoclarifylevelofvalidationexpectedforeachrequirement.

VMWARE'PRODUCT'APPLICABILITY'GUIDE' 11' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Othergeneraleditingchangesinclude: Removedthefollowingcolumns: InPlace, NotinPlace and TargetDate/Comments. Renumberedrequirementsandtestingprocedurestoaccommodatechanges Reformattedrequirementsandtestingproceduresforreadability e.g.contentfromparagraphreformattedto bulletpoints,etc. Mademinorwordingchangesthroughoutforreadability Correctedtypographicalerrors Summary&Changes:& Section Change& Type PCI&DSS&v2.0 PCI&DSS&v3.0 PCIDSS Applicability Information PCIDSS Applicability Information ClarifiedthatSADmustnotbestoredafterauthorizationevenif thereisnopanintheenvironment. Relationship between PCI DSS and PAP DSS Relationship between PCI DSS and PAP DSS Clarifiedthatallapplicationsthatstore,process,ortransmit cardholderdataareinscopeforanentity spcidss assessment,evenifpapdssvalidated. ClarifiedPCIDSSapplicabilitytopaymentapplicationvendors. Scopeof Assessmentfor Compliancewith PCIDSS Requirements ScopeofPCI DSS Requirements Addedexamplesofsystemcomponents,andaddedguidance abouthowtoaccuratelydeterminethescopeoftheassessment. Clarifiedtheintentofsegmentation. Clarifiedresponsibilitiesofboththethirdpartyandtheircustomers forscopingandcoverageofpcidssrequirements,andclarified theevidencethatthirdpartiesareexpectedtoprovidefortheir customerstobeabletoverifythescopeofthethirdparty spci DSSassessment. Additional Guidance ImplementingPCI DSSintoBusinessP aspusual Processes Newsectiontoprovide businessasusual guidancefor implementingsecurityintobusinesspaspusual(bau)activitiesto maintainonpgoingpcidsscompliance.notethatthissection includesrecommendationsandguidanceonly,notnewpcidss requirements. Additional Guidance Assessment Procedures AddednewheadingtoseparatePCIDSSscopingsectionfrom samplingsection. Samplingof Business Facilities/System Components ForAssessors: Samplingof Business Facilities/System Components Enhancedsamplingguidanceforassessors. Additional Guidance Instructionsand ContentforReport oncompliance Instructionsand ContentforReport oncompliance Formercontentrelocatedtoseparatedocuments PCIDSS ROCTemplateandPCIDSSROCReportingInstructions.

VMWARE'PRODUCT'APPLICABILITY'GUIDE' 12' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSS Compliance Completion Steps PCIDSS Assessment Process Updatedsectiontofocusonassessmentprocessratherthan documentation. DetailedPCI DSS Requirements andsecurity Assessment Procedures DetailedPCI DSS Requirements andsecurity Assessment Procedures Atthestartofthissection,addedlanguagetodefinethecolumn headingsinthissection,andremovedreferencesto InPlace, Not InPlace and TargetDate/Comments columns. & & & & Requirement&Changes:& Requirement & & Change Type PCI&DSS&v2.0 PCI&DSS&v3.0 PCI&DSS&Z&Requirement&1 1.1.x 1.1.x Clarifiedthatfirewallandrouterstandardshavetobeboth documentedandimplemented. 1.1.2 1.1.2 1.1.3 Clarifiedwhatthenetworkdiagrammustincludeandaddednew requirementat1.1.3foracurrentdiagramthatshowscardholderdata flows. Evolving Requirement 1.1.5 1.1.6 Clarifiedexamplesofinsecureservices,protocols,andportstospecify SNMPv1andv2. 1.2.2 1.2.2 Clarifiedthattheintentofsecuringrouterconfigurationfilesistosecure themfromunauthorizedaccess. 1.2.3 1.2.3 Clarifiedthattheintentofcontrollingtrafficbetweenwirelessnetworks andthecdeisto permitonlyauthorizedtraffic. 1.3.4 1.3.4 ClarifiedtheintentoftherequirementisthatantiPspoofingmeasures areimplementedtodetectandblockforgedsourceipaddresses fromenteringthenetwork. 1.4 1.4 Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. PCI&DSS&Z&Requirement&2 2.1 2.1 Clarifiedthatrequirementforchangingvendordefaultpasswords appliestoalldefaultpasswords,includingsystems,applications, securitysoftware,terminals,etc.andthatunnecessarydefaultaccounts areremovedordisabled. 2.1.1 2.1.1 Clarifiedthattheintentoftherequirementisforallwirelessvendor defaultstobechangedatinstallation.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type 2.2 2.2 Clarifiedthatsystemconfigurationstandardsincludeproceduresfor changingofallvendorpsupplieddefaultsandunnecessarydefault accounts. 2.2.2 2.2.2 2.2.3 Splitrequirementat2.2.2intotworequirementstofocusseparately onnecessary'services,protocolsandports(2.2.2),andsecure' services,protocols,andports(2.2.3). 2.4 Newrequirementtomaintainaninventoryofsystemcomponentsin scopeforpcidsstosupportdevelopmentofconfigurationstandards. Evolving Requirement PCI&DSS&Z&Requirement&3 3.1 3.1.1 3.1 3.2 3.2 Combinedrequirement3.1.1andtestingproceduresinto requirement3.1toclarifyandreduceredundancy. Clarified,ifsensitiveauthenticationdataisreceived,thatitisrendered unrecoverableuponcompletionofthe authorizationprocess.clarifiedtestingproceduresforcompaniesthat supportissuingservicesandstoresensitiveauthenticationdata. 3.3 3.3 3.4.1 3.4.1 ClarifiedintentofrequirementformaskingPANsbyconsolidating formernoteintobodyoftherequirement,andenhancingtesting procedures. Clarifiedthatlogicalaccessfordiskencryptionmustbemanaged separately'andindependentlyofthenativeoperatingsystem authentication'andaccesscontrolmechanisms,andthat decryptionkeysmustnotbeassociated'with'useraccounts. 3.5 3.5 Clarifiedthatkeymanagementprocedureshavetobeboth implementedanddocumented. 3.5.2 3.5.2 3.5.3 Splitrequirement3.5.2intotworequirementstofocusseparatelyon storingcryptographickeysinasecureform(3.5.2),andinthefewest possiblelocations(3.5.3).requirement3.5.2alsoprovidesflexibility withmoreoptionsforsecurestorageofcryptographickeys. 3.6.x 3.6.x Addedtestingprocedurestoverifyimplementationof cryptographickeymanagementprocedures. 3.6.6 3.6.6 Clarifiedprinciplesofsplitknowledgeanddualcontrol. PCI&DSS&Z&Requirement&4 4.1 4.1 Alignedlanguagebetweenrequirementandtestingproceduresfor consistency.alsoexpandedtheexamplesofopen,publicnetworks. Requirement5PGeneral 5.1.2 PCI&DSS&Z&Requirement&5 Titleupdatedtoreflectintentoftherequirement(toprotect'all'systems' against'malware). Newrequirementtoevaluateevolvingmalwarethreatsforany systemsnotconsideredtobecommonlyaffectedbymalicious software. Evolving Requirement VMWARE'PRODUCT'APPLICABILITY'GUIDE' 13' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type 5.2 5.2 5.3 6.2 6.1 6.1 6.2 6.3 6.3 6.3.1 6.3.1 6.4 6.4 6.4.1 6.4.1 6.5 6.5 6.5.x 6.5.x 6.5.10 6.6 6.6 Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. NewrequirementtoensurethatantiPvirussolutionsareactivelyrunning (formerlyin5.2),andcannotbedisabledoralteredbyusersunless specificallyauthorizedbymanagementonaperpcasebasis. PCI&DSS&Z&Requirement&6 Switchedtheorderofrequirements6.1and6.2.Requirement6.1is nowforidentifyingandriskrankingnewvulnerabilitiesand6.2isfor patchingcriticalvulnerabilities.clarifiedhowriskrankingprocess(6.1) alignswithpatchingprocess(6.2). Seeaboveexplanationfor6.1.Also,clarifiedthatthis requirementappliesto applicable patches. Addedanotetoclarifythattherequirementforwrittensoftware developmentprocessesappliestoallinternallypdevelopedsoftware andbespokesoftware. Changed prepproduction to development/test toclarify intentofrequirement Enhancedtestingprocedurestoincludedocumentreviewsforall requirementsat6.4.1through6.4.4. Alignedlanguagebetweenrequirementandtestingprocedurestoclarify thatseparationofproduction/developmentenvironmentsisenforced withaccesscontrols. Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory. Updatedrequirementstoreflectcurrentandemergingcoding vulnerabilitiesandsecurecodingguidelines.updatedtesting procedurestoclarifyhowthecodingtechniquesaddressthe vulnerabilities. Newrequirementforcodingpracticestoprotectagainstbroken authenticationandsessionmanagement. Effective'July'1,'2015 Increasedflexibilitybyspecifyingautomated'technical'solution'that' detects'and'prevents'webjbased'attacks'ratherthan webpapplication firewall. Addednotetoclarifythatthisassessmentisnotthesameas vulnerabilityscansrequiredat11.2. Evolving Requirement Evolving Requirement 7.1 7.1 7.1.1 7.1.1 7.1.2 PCI&DSS&Z&Requirement&7 Rewordedtestingproceduretoclarifywhatthepolicyincludes,based onchangestorequirements7.1.1through 7.1.4. New7.1.1tocoverdefinitionofaccessneedsforeachrole,tosupport requirements7.1.2through7.1.4. RefocusedrequirementonrestrictionofprivilegeduserIDstoleast privilegesnecessary,andenhancedtestingprocedures. VMWARE'PRODUCT'APPLICABILITY'GUIDE' 14' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type 7.1.2 7.1.3 7.1.4 Requirement8PGeneral 8.5.6 8.1.5 8.4.2 8.2.1 8.5.2 8.2.2 8.5.10 8.5.11 8.2.3 8.3 8.3 8.5.7 8.4 8.5.1 8.6 Refocusedrequirementonassignmentofaccessbasedon individual sjobclassificationandfunction. Removedformerrequirement7.1.4(coveredin Requirement7.2) PCI&DSS&Z&Requirement&8 Titleupdatedtoreflectintentoftherequirement(identifyand authenticateallaccesstosystemcomponents). Updatedandreorganizedrequirementstoprovideamoreholistic approachtouserauthenticationandidentification: Focused8.1onuseridentification Focused8.2onuserauthentication Updatedrequirementstoconsidermethodsof authenticationotherthanpasswords Changed passwords to passwords/phrases where requirementonlyappliestopasswords/phrases Changed passwords to authenticationcredentials where requirementappliestoanytypeofauthenticationcredential Clarifiedthatpasswordsecurityrequirementsapplytoaccounts usedbythirdpartyvendors Clarifiedtherequirementforremotevendoraccessappliestovendors whoaccess,supportormaintainsystemcomponents,andthatitshould bedisabledwhennotinuse. Clarified that strong cryptography must be used to render authentication credentials unreadable during transmission and storage. Clarifiedthatuseridentifymustbeverifiedbeforemodifying authenticationcredentials,andaddedprovisioningnewtokensand generatingnewkeysasexamplesofmodifications. Combinedminimumpasswordcomplexityandstrengthrequirements intosinglerequirement,andincreasedflexibilityforalternativesthat meettheequivalentcomplexityandstrength. ClarifiedrequirementfortwoPfactorauthenticationappliestousers, administrators,andallthirdparties,includingvendoraccessforsupport ormaintenance. Enhancedrequirementtoincludedocumentingandcommunicating guidanceforhowusersshouldprotecttheirauthenticationcredentials, includingpassword/phrasereuseandchangingpassword/phraseif thereissuspicionthatithasbeencompromised. Newrequirementforserviceproviderswithremoteaccessto customerpremises,touseuniqueauthenticationcredentialsforeach customer. Effective'July'1,'2015 Newrequirementwhereotherauthenticationmechanismsareused(for example,physicalorlogicalsecuritytokens,smartcards,certificates, etc.)thatthemechanismsmustbelinkedtoanindividualaccountand ensureonlytheintendedusercangainaccesswiththatmechanism. Evolving Requirement Evolving Requirement Evolving Requirement VMWARE'PRODUCT'APPLICABILITY'GUIDE' 15' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type 8.5.16 8.7 Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. 9.1.2 9.1.2 PCI&DSS&Z&Requirement&9 Clarifiedintentoftherequirementistoimplementphysicaland/or logicalaccesscontrolstoprotectpublicallypaccessiblenetworkjacks. 9.2.x 9.2.x Clarifiedtheintentof the requirement toidentify, distinguishbetween, andgrantaccesstoonsitepersonnelandvisitors,andthatbadgesare justoneoption(theyarenotrequired). 9.3 Newrequirementtocontrolphysicalaccesstosensitiveareasfor onsitepersonnel,includingaprocesstoauthorizeaccess,andrevoke accessimmediatelyupontermination. Evolving Requirement 9.3.x 9.4.x Alignedlanguagebetweenrequirementandtestingproceduresfor consistencyandtoclarifythatvisitorsmustbeescortedatalltimes, andthattheaudittrailofvisitoractivitymustincludeaccesstothe facility,computerroom,and/ordatacenter. 9.5 9.10 9.5 9.8 Formerrequirement9.6movedandrenumberedto9.5,andformer requirement9.5renumberedassubprequirement 9.5.1. Formerrequirement9.7renumberedto9.6,andformer requirement9.8renumberedassubprequirement9.6.3. Formerrequirement9.9renumberedto9.7,andformer requirement9.10renumberedto9.8. 9.9.x Newrequirementstoprotectdevicesthatcapturepaymentcarddata viadirectphysicalinteractionwiththecardfromtamperingand substitution. Effective'July'1,'2015 Evolving Requirement 10.1 10.1 10.2.1 10.2.1 10.2.5 10.2.5 10.2.6 10.2.6 10.6 10.6.x PCI&DSS&Z&Requirement&10 Clarifiedthataudittrailsshouldbeimplementedtolinkaccessto system components to each individual user, rather than just establishingaprocess. Clarifiedtheintentisforallindividualuser'accessto cardholderdatatobeincludedintheaudittrails. Enhancedrequirementtoincludechangestoidentificationand authenticationmechanisms(includingcreationofnewaccounts, elevationofprivileges),andallchanges,additionsanddeletionsto accountswithrootoradministrativeaccess. Enhancedrequirementtoincludestoppingorpausingoftheauditlogs. Clarifiedtheintentoflogreviewsistoidentifyanomaliesorsuspicious activity,andprovidedmoreguidanceaboutscopeofdailylogreviews. Alsoallowedmoreflexibilityforreviewofsecurityeventsandcritical systemlogsdailyandotherlogseventsperiodically,asdefinedbythe entity sriskmanagementstrategy. Evolving Requirement Evolving Requirement VMWARE'PRODUCT'APPLICABILITY'GUIDE' 16' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type PCI&DSS&Z&Requirement&11 11.1.x 11.1.x Enhancedrequirementtoincludeaninventoryofauthorizedwireless accesspointsandabusinessjustification(11.1.1)tosupportscanning forunauthorizedwirelessdevices,andaddednewrequirement11.1.2 toalignwithanalreadypexistingtestingprocedure,forincident responseproceduresifunauthorizedwirelessaccesspointsare detected. Evolving Requirement 11.2 11.2 11.2.1 11.2.1 11.2.2 11.2.2 11.2.3 11.2.3 11.3 Addedguidanceoncombiningmultiplescanreportsinordertoachieve anddocumentapassingresult. Clarifiedthatquarterlyinternalvulnerabilityscansincluderescansas neededuntilall high vulnerabilities(asidentifiedbypcidss Requirement6.1)areresolved,andmustbeperformedbyqualified personnel. Clarified that external vulnerability scans include rescans as needed untilpassingscansareachieved,andaddedanotetorefertotheasv ProgramGuide. Clarifiedthatinternalandexternalscansperformedaftersignificant changesincluderescansasneededuntilall high vulnerabilities(asidentifiedbypcidssrequirement 6.1)areresolved,andmustbeperformedbyqualified personnel. Newrequirementtoimplementamethodologyfor penetrationtesting. Effective'July'1,'2015.'PCI'DSS'v2.0'requirements'for'penetration' testing'must'be'followed'until'v3.0'is'in'place. Additional Guidance Evolving Requirement 11.3 11.3.1 11.3.2 Splitformerrequirement11.3into11.3.1forexternal'penetration testingrequirementsand11.3.2forinternal'penetrationtesting requirements. 11.3 11.3.3 11.3.4 11.4 11.4 11.5 11.5 Newrequirementcreatedfromformertestingprocedure(11.3.b)to correctexploitablevulnerabilitiesfoundduringpenetrationtestingand repeattestingtoverifycorrections. Newrequirement,ifsegmentationisusedtoisolatetheCDEfromother networks,toperformpenetrationteststoverifythatthesegmentation methodsareoperationaland effective. IncreasedflexibilitybyspecifyingintrusionJdetection'and/or'intrusion' prevention'techniques'to'detect'and/or'prevent'intrusions'in'the' network'ratherthan intrusionpdetectionsystemsand/orintrusionp preventionsystems. Increasedflexibilitybyspecifyingchange'detection' mechanism'ratherthan fileintegritymonitoring. Evolving Requirement 11.5.1 Newrequirementtoimplementaprocesstorespondtoanyalerts generatedbythechangepdetectionmechanism(supports11.5) Evolving Requirement VMWARE'PRODUCT'APPLICABILITY'GUIDE' 17' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCI&DSS&v2.0 Requirement PCI&DSS&v3.0 & & Change Type PCI&DSS&Z&Requirement&12 12.1.1 12.2 1.5,2.5,3.7, 4.3,5.4,6.7, 7.3,8.8,9.10, 10.8,11.6 Combinedformerrequirementsat12.1.1(fortheinformationsecurity policytoaddressallpcidssrequirements)and 12.2(foroperationalsecurityprocedures),andmovedtheminto Requirements1through11,asarequirementineach. 12.1.3 12.1.1 Movedformerrequirement12.1.3to12.1.1. 12.1.2 12.2 12.3.4 12.3.4 12.3.8 12.3.8 12.3.10 12.3.10 12.8 12.8 Movedformerrequirement12.1.2foranannualriskassessment processto12.2,andclarifiedthattheriskassessmentshouldbe performedatleastannuallyand'after'significant'changes'to'the' environment. Clarifiedthat labeling isanexampleofamethodtobeused. Newtestingproceduretoverifypolicyisimplementedfor disconnectingremoteaccesssessionsafteraspecificperiodof inactivity. Alignedlanguagebetweenrequirementandtestingproceduresto clarifythat,wherethereisanauthorizedbusinessneedforpersonnel toaccesscardholderdataviaremotepaccesstechnologies,thedata mustbeprotectedinaccordancewithallapplicablepcidss Requirements. Clarifiedintenttoimplementandmaintainpoliciesandproceduresto manageserviceproviderswithwhichcardholderdataisshared,orthat couldaffectthesecurityofcardholderdata. Evolving Requirement 12.8.2 12.8.2 12.8.5 12.9 Clarifiedtheapplicableresponsibilitiesfortheservice provider swrittenagreement/acknowledgement. New requirement to maintain information about which PCI DSS requirements aremanaged by each service provider, and which are managedbytheentity. New requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement12.8. Effective'July'1,'2015 Evolving Requirement Evolving Requirement 12.9.x 12.10.x Renumberedrequirementandupdated12.10.5toclarifytheintentisfor alertsfromsecurity'monitoring'systems'tobeincludedintheincident responseplan. VMWARE'PRODUCT'APPLICABILITY'GUIDE' 18' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) VMWARE'PRODUCT'APPLICABILITY'GUIDE' 19' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) CloudComputing Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomoveapplications andevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloudcomputing. There areavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsareimportantastheyserveasthe basisformakingbusiness,security,andauditdeterminations.vmwaredefinescloudorutilitycomputingasthefollowing (http://www.vmware.com/solutions/cloudpcomputing/publicpcloud/faqs.html): Cloud'computing'is'an'approach'to'computing'that'leverages'the'efficient'pooling'of'onJdemand,'selfJmanaged'virtual' infrastructure,'consumed'as'a'service.'sometimes'known'as'utility'computing,'clouds'provide'a'set'of'typically'virtualized' computers'which'can'provide'users'with'the'ability'to'start'and'stop'servers'or'use'compute'cycles'only'when'needed,' often'paying'only'upon'usage.. ' Figure&5:&Cloud&Computing Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveralgenerally acceptedservicemodels.thesedefinitionsarelistedbelow: PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonppremiseoroffppremise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroup andisownedbyanorganizationthatsellscloudservices. VMWARE'PRODUCT'APPLICABILITY'GUIDE' 20' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)that remainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplication portabilityjforexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,an organizationgetsthebestofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneededwhile maintainingcriticalassetsonppremise. CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonppremiseoroff premise. TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: VMwareCloudComputingOverview VMware svcloudarchitecturetoolkit Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtotheirhighlyregulatedandcritical applications,theymaywanttostartbyasking: Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? Whatservicemodelisusedforthecardholderdataenvironment(SaaS,PaaS,IaaS)? Whatdeploymentmodelwillbeadopted? Isthecloudplatformatrustedplatform? Thelastpointiscriticalwhenconsideringmovinghighlyregulatedapplicationstoacloudplatform.PCIdoesnotendorse orprohibitanyspecificserviceanddeploymentmodel.theappropriatechoiceofserviceanddeploymentmodelsshould bedrivenbycustomerrequirements,andthecustomer schoiceshouldincludeacloudsolutionthatisimplementedusinga trustedplatform. VMwareisthemarketleaderinvirtualization,thekeyenablingtechnologyforcloudcomputing.VMware svcloudsuiteis thetrustedcloudplatformthatcustomersusetorealizethemanybenefitsofcloudcomputing,includingsafelydeploying businesscriticalapplications. IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram,please emailusatcompliancepsolutions@vmware.com VMWARE'PRODUCT'APPLICABILITY'GUIDE' 21' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) WheretoStartPConsiderationsforManagement,ITand Auditors MigratingatraditionalITinfrastructuretoavirtualorcloudenvironmenthasasignificantimpactonanorganizationthat extendsbeyondinformationtechnology.securityandcompliancecontinuetoremaintopconcernsformanagement,it departments,andauditors.allthreeareasshouldberepresentedandengagedforanyitvirtualizationorcloudprojectsto confirmthatbusiness,itoperations,andcomplianceteamscarefullyconsiderthebenefitsandrisks.themovetocloud andvirtualenvironmentshasmanytechnicalconsiderations,butitshouldalsobeabusinessdecision.organizations shouldreviewthebenefitsandrisksoftheircurrentenvironmentandcomparethemtothedifferentclouddeployment modelsandservicemodels.' Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofavirtual and/orcloudenvironment. Management/BusinessConsiderations 1. CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2. HowarecompetitorsorpartnersleveragingCloudandvirtualization? 3. WhatisthebusinessvaluethatCloudcoulddelivertoOperations? 4. WhatisthestrategicvaluethatCloudcoulddelivertotheCompany? 5. IstheITBudgetexpandingorcontracting? 6. WhataretheareaswhereCloudcanprovideadditionalvaluetothecompany? 7. ArethereeffortstoconsolidateITfunctionsthatcanbeaddressedwithCloud? 8. WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1. HowdoIToperationalprocessesaddress&supportthecompany sstrategicandoperationalgoals? 2. Whatmanualprocessesareinplacethatcanbeautomated? 3. WhataretheskillsandcapabilitiesoftheITDepartment? 4. Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5. WhichITinitiativescurrentlyunderwaycouldaffectthescopeoftheCardholderDataEnvironment? 6. Howareencryptionandtokenizationcurrentlyusedtolimitrisk? 7. Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourPCIdataresides)? 8. Aretheresecondarysystemsthatmighthavecreditcarddata(accounting,marketing)? 9. HowhassecurityandcomplianceaffectedITOperations? AuditConsiderations 1. Whatpriorexperiencedoestheauditorhavewithvirtualenvironments(QualifiedSecurityAssessor(QSA)or InternalSecurityAssessor(ISA))? 2. HastheQSAorISAsuccessfullyassessedPCIenvironmentsinthecloudorvirtualareas? 3. WhatcertificationsdotheyhaveinVMwareproductsorsolutions? 4. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 5. WhatthoughtleadershipandguidancehastheQSA/ISApublished? 6. WhataretherisksandmitigationtechniquestheQSA/ISAbelievesareappropriateformultiPtenancyormixedP modeenvironments? 7. HowlonghavetheybeenworkingwithVMwarearchitectures? 8. HavetheybeeninvolvedwiththePCISpecialInterestGrouporotherPCIcommunities? 9. Whatreferencesdotheyhaveforconductingsimilarassessments? VMWARE'PRODUCT'APPLICABILITY'GUIDE' 22' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) 10. IstheQSA/ISAassignedtotheauditengagementcompanyknowledgeableaboutthebasiccomponents, systems,andsoftwareinavmwarecloud? VMWARE'PRODUCT'APPLICABILITY'GUIDE' 23' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877P486P9273Fax650P427P5001www.vmware.com Copyright 2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws. VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademark ofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) GuidancefromthePaymentCardIndustrySecurityStandardsCouncil ThePCISSChasissuedseveraldocumentsthatprovideguidanceforinterpretingtheDataSecurityStandardandimplementingcompliantvirtualandCloud environments.vmwarehasextractedseveralparagraphsfromthesedocumentsthathighlightsomeofthecriticalrequirements/guidancethatorganizationsare requiredtoaddressaspartoftheirdeployments.vmwarehasalsoprovidedinformationregardinghowvmwaretoolsaredesignedtohelporganizationsaddress thesecontrols. PCIDSS PaymentCardIndustryDataSecurityStandardv3.0 November2013 NAV NavigatingPCIDSSversion2.0October2010 SUP PCIDSSVirtualizationGuidelinesJune2011 # Table2:PCIGuidance SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS PCI DSS PCI DSS PCI DSS PCI DSS 10 ThePCIDSSsecurityrequirementsapplytoallsystemcomponents. InthecontextofPCIDSS, systemcomponents aredefinedasany networkcomponent,server,orapplicationthatisincludedinor connectedtothecardholderdataenvironment. System components alsoincludeanyvirtualizationcomponentssuchas virtualmachines,virtualswitches/routers,virtualappliances,virtual applications/desktops,andhypervisors. 11 Networksegmentationof,orisolating(segmenting),thecardholder dataenvironmentfromtheremainderofanentity snetworkisnota PCIDSSrequirement.However,itisstronglyrecommended 11 Networksegmentationcanbeachievedthroughanumberof physicalorlogicalmeans,suchasproperlyconfiguredinternal networkfirewalls,routerswithstrongaccesscontrollists,orother technologiesthatrestrictaccesstoaparticularsegmentofa network. 11 Atahighlevel,adequatenetworksegmentationisolatessystems thatstore,process,ortransmitcardholderdatafromthosethatdo not.however,theadequacyofaspecificimplementationofnetwork segmentationishighlyvariableanddependentuponanumberof factors,suchasagivennetwork'sconfiguration,thetechnologies deployed,andothercontrolsthatmaybeimplemented. InaVMwareenvironmenttherearemanysystem components,whichshouldbeconsideredaspartofthe virtualenvironmentbeyondthephysicalcomponents(esxi hosts,sans,networkdevices).theseincludevcenter Servers,vCenterDatabases,VUM,virtualswitches,etc.It isimportanttoconsiderallthevirtualcomponentsthatare installedandsupportthevmwareenvironment. VMwarestronglyrecommendsthatorganizationsimplement segmentationinordertoseparatethecardholderdata environment(cde)fromthenon]cde. PCIDSS3.0includesadditionalguidancewithregardto segmentationandtheconceptofisolation.whenproperly implemented,vmware sproductscansupportthecontrol requirementforsegmentationinmulti]tenant,mixed]mode environments. VMwarerecommendsthatorganizationsleveragevCloud NetworkingandSecurityAppandEdgeGatewayinorderto implementnetworksegmentationinacloudenvironment. Appcanbeusedtoproperlysegmentvirtualmachinesfrom eachother.edgegatewaycanbeusedtoprovidean additionallayerofprotectionbyisolatingtheprivatecloud networkfromanuntrustedoutsidenetwork. VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 24' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS PCI DSS PCI DSS PCI DSS 13 Toensuresecuritycontrolscontinuetobeproperlyimplemented, PCIDSSshouldbeimplementedintobusiness]as]usual(BAU) activitiesaspartofanentity soverallsecuritystrategy.thisenables anentitytomonitortheeffectivenessoftheirsecuritycontrolsonan ongoingbasis,andmaintaintheirpcidsscompliantenvironmentin betweenpcidssassessments. 31 Requirement2.2.1Implementsonlyoneprimaryfunctionperserver topreventfunctionsthatrequiredifferentsecuritylevelsfromco] existingonthesameserver.(forexample,webservers,database servers,anddnsshouldbeimplementedonseparateservers.) Note:Wherevirtualizationtechnologiesareinuse,implementonly oneprimaryfunctionpervirtualsystemcomponent. 33 OneofthenewPCIDSS3.0requirementsistomaintainaformal inventoryofallin]scopesystemcomponents NAV 4 QualifiedSecurityAssessor(QSA)canassistindeterminingscope withinanentity scardholderdataenvironmentalongwithproviding guidanceabouthowtonarrowthescopeofapcidssassessment byimplementingpropernetworksegmentation. NAV 5 Allcomponentswithinthevirtualenvironmentwillneedtobe identifiedandconsideredinscopeforthereview,includingthe individualvirtualhostsordevices,guestmachines,applications, managementinterfaces,centralmanagementconsoles,hypervisors, etc. NAV 5 Theimplementationofavirtualizedenvironmentmustmeetthe intentofallrequirements,suchthatthevirtualizedsystemscan effectivelyberegardedasseparatehardware. NAV 12 (GuidanceforRequirement1.1.2)]Networkanddataflowdiagrams shouldincludevirtualsystemcomponentsanddocumentintra]host dataflows. VMwareproductsprovideanumberofwaystoeitherdirectly integrate(software/devops)orotherwisesupportthe managementofpcidssrequirementsinabusiness]as] Usualfashion PCIDSS3.0clarifiesthatmultiplevirtualmachinesof differentfunctionscanresideonthesamephysical hardware. VMwareproductsofferseveraloptionsformaintaininga near]timeinventoryofallsystemcomponentsrunningwithin thevirtualinfrastructure IfanorganizationplanstouseaQSA,VMware recommendstheyengagetheqsaduringthedesignphase. Thisensuresthattheassessorandtheorganizationare alignedtotherisksandtechnologiesdeployed.vmware recommendsthatorganizationsworkwithassessorsthatare familiarwiththetechnologyandorganizationsshouldhave dedicatedspecialiststhatunderstandboththepci requirementsandvmwarecapabilities. SeveralfeaturesareembeddedintoVMware sproductsto identifythehosts,virtualmachines,components,databases, andcommunicationpathsofthecloudenvironment. WhenimplementingaVMwareenvironment,organizations shouldaskwhatrisksotherhostsandvirtualcomponents presenttothecde.inadditiontosupportingtheproper segmentationoftheproductionsystems,organizations shouldreviewbackup,disasterrecovery,andstorage systemswithaviewtoproperlyprotectingthatcardholder datainthecloud. vcloudnetworkingandsecurityappprovidessolutionsto monitorandcontrolintra]hostcommunicationofacloud environment.organizationsshouldstrivetoproperlymap thecloudmanagementinfrastructureaswellastheintra] VMWARE'PRODUCT'APPLICABILITY'GUIDE'25' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877]486]9273Fax650]427]5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.inthe UnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS NAV 18 Wherevirtualizationtechnologiesareused,eachvirtualcomponent (e.g.virtualmachine,virtualswitch,virtualsecurityappliance,etc.) shouldbeconsidereda server boundary.individualhypervisors maysupportdifferentfunctions,butasinglevirtualmachineshould adheretothe oneprimaryfunction rule. SUP 3 Therearefoursimpleprinciplesassociatedwiththeuseof virtualizationincardholderdataenvironments: a.ifvirtualizationtechnologiesareusedinacardholderdata environment,pcidssrequirementsapplytothosevirtualization technologies. b.virtualizationtechnologyintroducesnewrisksthatmaynotbe relevanttoothertechnologies,andthatmustbeassessedwhen adoptingvirtualizationincardholderdataenvironments. c.implementationsofvirtualtechnologiescanvarygreatly,and entitieswillneedtoperformathoroughdiscoverytoidentifyand documenttheuniquecharacteristicsoftheirparticularvirtualized implementation,includingallinteractionswithpaymenttransaction processesandpaymentcarddata. d.thereisnoone]size]fits]allmethodorsolutiontoconfigure virtualizedenvironmentstomeetpcidssrequirements.specific controlsandprocedureswillvaryforeachenvironment,accordingto howvirtualizationisusedandimplemented. SUP 7,8 ScopeGuidance:Ifanyvirtualcomponentconnectedto(orhosted on)thehypervisorisinscopeforpcidss,thehypervisoritselfwill alwaysbeinscope.virtualappliancesusedtoconnectorprovide servicestoin]scopesystemcomponentsornetworkswouldbe consideredin]scope.anyvsa/svathatcouldimpactthesecurityof thecdewouldalsobeconsideredinscope. hostcommunicationpaths,particularlyforvirtualmachines thatarewithinacommonvlan. PCIDSS3.0clarifiesthatmultiplevirtualmachinesof differentfunctionscanresideonthesamephysical hardware.ifdifferentsecurityzones(suchasdmz sand InternalNetworks)resideonsharedhypervisors,each virtualservershouldstillmeetthe oneprimaryfunction rule andbelogicallyseparatedfromvirtualserversofdifferent functions.forexample,vcloudnetworkingandsecurity AppcanbeusedtocreateaDMZsegmentingavirtualweb serverfromavirtualdatabaseserver. VMwarehasembracedtheguidancefromthePCISSCand isactivelypublishingproductguidancealignedtothecore principalsandintentofthepcidssandapplicable informationsupplements.vmwareunderstandsthatevery cloudandeveryimplementationisunique,andhasprovided implementationprocedures,hardeningdocuments,and complianceframeworkstohelporganizationsproperly evaluatetherisksandbenefitsofpciclouds.when properlydeployed,vmware ssolutionsconfirmthatmulti] tenant,mixedmodecloudscanbecompliantwiththe standardsoftodayandtomorrow. Inordertomaximizethebenefitsandfeaturesofthe vsphereappandcloudarchitectures,vmware recommendsthattheentirevspherearchitecture(including ESXihosts,vSwitches,andvCenterserversanddatabases) beconsideredinscopeandproperlyprotectedformost environments.ifhostormanagementcomponents(suchas vcenter)arenotincluded,organizationsmustensurethat theydonothaveaccesstovirtualcomponentswithinthe CDEanddonothaveanyconnectivityintotheCDE. VMWARE'PRODUCT'APPLICABILITY'GUIDE'26' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877]486]9273Fax650]427]5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.inthe UnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS SUP 8 Networksprovisionedonahypervisor]basedvirtualswitchwillbein scopeifprovisionedwithanin]scopecomponentoriftheyprovide servicesorconnecttoanin]scopecomponent.physicaldevices hostingvirtualswitchesorrouterswouldbeconsideredinscopeif anyofthehostedcomponentsconnectstoanin]scopenetwork. SUP 9 Theuseofcloudcomputingpresentsanumberofscoping challengesandconsiderations.entitiesplanningtousecloud computingfortheirpcidssenvironmentsshouldfirstensurethat theythoroughlyunderstandthedetailsoftheservicesbeingoffered, andperformadetailedassessmentoftheuniquerisksassociated witheachservice.additionally,aswithanymanagedservice,itis crucialthatthehostedentityandproviderclearlydefineand documenttheresponsibilitiesassignedtoeachpartyformaintaining PCIDSSrequirementsandanyothercontrolsthatcouldimpactthe securityofcardholderdata. SUP 9 ThecloudprovidershouldclearlyidentifywhichPCIDSS requirements,systemcomponents,andservicesarecoveredbythe cloudprovider spcidsscomplianceprogram.anyaspectsofthe servicenotcoveredbythecloudprovidershouldbeidentified,andit shouldbeclearlydocumentedintheserviceagreementthatthese aspects,systemcomponents,andpcidssrequirementsarethe responsibilityofthehostedentitytomanageandassess.thecloud providershouldprovidesufficientevidenceandassurancethatall processesandcomponentsundertheircontrolarepcidss compliant. SUP 10 Akeyriskfactoruniquetovirtualenvironmentsisthehypervisor if thisiscompromisedornotproperlyconfigured,allvmshostedon thathypervisorarepotentiallyatrisk.thehypervisorprovidesa singlepointofaccessintothevirtualenvironmentandisalso potentiallyasinglepointoffailure.misconfiguredhypervisorscould resultinasinglepointofcompromiseforthesecurityofallhosted components. SUP 12 InactiveVMscontainingpaymentcarddatacanbecomeunknown, unsecureddatastores,whichareoftenonlyrediscoveredinthe eventofadatabreach.becausedormantvmsarenotactively Organizationsshouldconfirmthatanytimecardholderdata flowsthroughvswitchesorvirtualdistributedswitchesthat suchdataisproperlydocumentedandsegmented.this oftenincludespairinghypervisorbasedvirtualswitcheswith specializedphysicalcoreswitchesandrouters,whichare designedforthevmwareinfrastructure.vcloudnetworking andsecurityappcanhelporganizationsmanagethe networksegmentationbyprovidingcontrolatthevirtual switchlevel. Everycloudisdifferentbasedonthetechnologydeployed andthebusinessprocessesutilized.vmware scloud providesarobustsetofsuitesandfeaturesthathelps automateandprovidetransparencyofcontrolswithinthe Cloud.Ifanorganizationisgoingtoactasaproviderof cloudservicestoothermerchantsorserviceproviders,the Cloudprovidershouldbespecificonwhatservicesarein PCIscope,howtheyhavebeenvalidatedtobeeffective, andwhatcontrolsarespecificallynotinscopewithrespect totheirsolution. VMwarerecommendsthatorganizationsestablisha PCI RequirementsMatrix orsimilardocumenttoclearly communicatetheextentofservicesacloudprovideroffers andincludedetailsregardingthescope,controls,and validation,whichhasbeenperformedtoconfirmthatthe CloudProviders controlsaresufficient. VMwareprovidesextensiveproductguidancetoestablish thatvirtualcomponentsandhypervisorsarefullypatched andconfiguredappropriately.thecombinationofvcenter, VUM,andVCMhelptrackandenforcethepatchingand securityconfigurationofcriticalcomponentsinthevmware Cloud. AVMissimplyasetofsoftwarefiles,whichareexecuted whenruninthecontextofahypervisor.toolssuchasvcm canbeusedtomonitorandupdatedormantvm s,providing VMWARE'PRODUCT'APPLICABILITY'GUIDE'27' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877]486]9273Fax650]427]5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.inthe UnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS used,theycaneasilybeoverlookedandinadvertentlyleftoutof securityprocedures. SUP 13 Specializedtoolsformonitoringandloggingvirtualenvironments maybeneededtocapturethelevelofdetailrequiredfromthe multiplecomponents,includinghypervisors,managementinterfaces, virtualmachines,hostsystems,andvirtualappliances. SUP 11, 20 TheriskofhostingVMsofdifferenttrustlevelsonthesamehost needstobecarefullyassessed.inthevirtualcontext,avmoflower trustwilltypicallyhavelessersecuritycontrolsthanvmsofhigher trustlevels.thelower]trustvmcouldthereforebeeasierto compromise,potentiallyprovidingastepping]stonetothehigher]risk, moresensitivevmsonthesamesystem. Itisstronglyrecommended(andabasicsecurityprinciple)thatVMs ofdifferentsecuritylevelsandnotbehostedonthesamehypervisor orphysicalhostmtheprimaryconcernbeingthatavmwithlower securityrequirementswillhavelessersecuritycontrols,andcouldbe usedtolaunchanattackorprovideaccesstomoresensitivevmson thesamesystem. SUP 20 Asageneralrule,anyVMorothervirtualcomponentthatishosted onthesamehardwareorhypervisorasanin]scopecomponent wouldalsobeinscopeforpcidss,asboththehypervisorand underlyinghostprovideaconnection(eitherphysical,logical,or both)betweenthevirtualcomponents,anditmaynotbepossibleto achieveanappropriatelevelofisolation,orsegmentation,between in]scopeandout]of]scopecomponentslocatedonthesamehostor hypervisor. SUP 21 Inorderforin]scopeandout]of]scopeVMstoco]existonthesame hostorhypervisor,thevmsmustbeisolatedfromeachothersuch thattheycaneffectivelyberegardedasseparatehardwareon differentnetworksegmentswithnoconnectivitytoeachother.any systemcomponentssharedbythevms,includingthehypervisorand underlyinghostsystem,mustthereforenotprovideanaccesspath betweenthevms. betterthanphysicalpatchingandsignatureupdatesfor virtualcomponentswhenproperlyimplemented. VMwarehasanextensivesetoffeaturesformanagement, monitoring,andlogging.inaddition,severalapi sand featureshavebeenimplementedwhichallowcriticalsystem files,logs,andaccesscontrolmechanismstobecentrally monitoredandcorrelatedwithindustryleadingsiem solutions. ThearchitectureofVMware shypervisor,esxi,significantly limitstheattackprofilecomparedtocompetitivehypervisor offerings.thedesignprovidesmoresecuritycontroland significantlyreducestheriskthatnonpci]compliancevm s posetothecardholderdataenvironment. Inaddition,segmentationofdifferenttrustlevelsonthe samehostisreadilyaccomplishedusingvirtualdistributed SwitchandvCloudNetworkingandSecurityApp.VDS, vcloudnetworkingandsecurityedgegatewayandvcloud NetworkingandSecurityAppenablecreationofrulesto controltrafficflowswithinthevirtualenvironment. Similartoalltechnology,asvirtualizationandcloud computinghaveevolvedsohastheabilitytoprovideproper levelsofisolation. Segmentationofdifferenttrustlevelsonthesamehostis readilyaccomplishedusingvirtualdistributedswitchand vcloudnetworkingandsecurityapp.inadditionvds, vcloudnetworkingandsecurityedgegatewayandapp enablecreationofrulestocontroltrafficflowswithinthe virtualenvironment. Organizationscanuseorchestrationprocessesorvirtual profilestoconfirmthatanyprovisionedhostsand/orvirtual componentsarelockeddownanddonothaveany unnecessaryconnectivity.vcmcanbeusedtoidentify misconfigurationsofrunningandofflinemachines. Segmentationofdifferenttrustlevelsonthesamehostis VMWARE'PRODUCT'APPLICABILITY'GUIDE'28' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877]486]9273Fax650]427]5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.inthe UnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) SOURCE PAGE PCIGUIDANCE VMWARESOLUTIONS SUP 21 Allexistingout]of]bandchannelsshouldbeidentifiedand documented whethertheyareactivelyusedornot and appropriatecontrolsimplementedtoisolateworkloadsandvirtual components. readilyaccomplishedusingvirtualdistributedswitch(vds) andvcloudnetworkingandsecurityapp.inadditionvds, vcloudnetworkingandsecurityedgegatewayandapp enablecreationofrulestocontroltrafficflowswithinthe virtualenvironment. IntheESXiarchitecture,manyoutofbandchannelshave beeneliminatedtoreducethecomplexityandrisktothe hypervisor.vmwarehasalsoprovidedfeaturesthatenable managementprocessestoflowthroughcentralizedpoints (suchasvcenter)thatcanbeusedtocontrolaccess, logging,andmonitoringfunctions.organizationscanalso limittheimpactofout]of]bandchannelsbyimplementing policiestoreducetherisk(suchasprohibitingdirty snapshotsandenablingsnapshotstoonlybemaintainedfor abriefperiodoftime). VMWARE'PRODUCT'APPLICABILITY'GUIDE'29' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877]486]9273Fax650]427]5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.inthe UnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIComplianceStack VMwareprovidesanextensivesuiteofproductsdesignedtohelporganizationssupportsecurityandcomplianceneeds. Whileeveryenvironmenthasuniqueneeds,thefollowingPCIComplianceStackprovidesacomprehensivemixofVMware solutionswithfeaturesthataredesignedtoassistwithpcicompliance.thesolutions collectivefunctionality,features,and specificpcidssrequirementsareaddressedindetailinthefollowingsections.thesolutionsaregroupedintofocusareas thatmapto'layers'orcompartmentsoffunctionalitywithinthevmwareproductsandsuites.itisnottheintentofthis documenttoexpresswhatisavailableinspecificvmwareproductsandsuitesalthough,someofthesolutionareasmay representcertainvmwareproductsuites.themostcurrentinformationregardingvmwareproductsuitesandtheinclusion ofproductsandcapabilitieswithineachversionisalwaysavailableonvmware.com. Solution'Area vcloud'infrastructure 'vcloud'networking'and'security NSX'' Infrastructure'Management' End'User'Computing' Key'Products ESXi,(vSphere,(vShield(Endpoint,(vCenter(Server(and(vCloud(Director vcloud(networking(and(security(app,(vcloud(networking(and(security(data(security,(vcloud( Networking(and(Security(Edge(Gateway,(vCloud(Networking(and(Security(Manager NSX(Edge,(NSX(Firewall,(NSX(Router,(NSX(Load(Balancer,(NSX(Service(Composer( vcenter(operations(manager,(vcenter(configuration(manager,(vcenter(infrastructure( Navigator,(vCenter(Orchestrator,(vCenter(Update(Manager,(vCloud(Automation(Center,(Log( Insight( Horizon(View,(ThinApp,(Horizon(Workspace( Figure6:VMwareSoftwareDefinedDataCenterProducts VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 30' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Figure7:VMwareEndUserComputing VMwarePCIRequirementsMatrix(Overview) VMwarehascreatedaPCIRequirementsMatrixtoassistorganizationswithanunderstandingofVMwaresolutions, VMwarePartnerSolutions(wheretheyoverlap),andtheremainingcustomerresponsibilitiesthatmustbeaddressed separatelybythecustomerthroughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthatthe vastmajorityofpcidssrequirementscanbeaddressedthroughthevmwaresuitesand/orvmwarepartnersolutions. ThefollowingdiagramshowsanexampleofacloudenvironmentthathasbeendeployedusingtheVMwarePCIsuitesand VMwarepartnerproducts. TheremaininggapsinaddressingPCIrequirementsmaybefilledbythecustomerthroughothertools(i.e.approving customers policies,keepinganupdatednetworkdiagram,approvingchanges,etc.) Figure8:AggregatePCIApplicabilityofVMware&TechnologyPartnerProducts VMWARE'PRODUCT'APPLICABILITY'GUIDE'31' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877Z486Z9273Fax650Z427Z5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents. VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Table3:PCIDSSRequirement ( PIE CHART ( ( ( ( ( ( ( ( ( ( ( ( ( ( PCIDSSREQUIREMENT #OFPCI ASSESSMENT TESTS TESTS ADDRESSED IN VMWARE'S SUITES TESTS ADDRESSED OR ENHANCED BY PARTNERS TESTSNOT ADDRESSED BYVMWARE OR PARTNERS Requirement1:Installandmaintaina firewallconfigurationtoprotectcardholder data 20 17 23 3 Requirement2:DonotusevendorZsupplied defaultsforsystempasswordsandother 12 10 22 2 securityparameters Requirement3:Protectstoredcardholder data 22 7 29 15 Requirement4:Encrypttransmissionof cardholderdataacrossopen,public 4 2 9 2 networks Requirement5:Protectallsystemsagainst malwareandregularlyupdateantizvirus 6 4 6 2 softwareorprograms Requirement6:Developandmaintain securesystemsandapplications 28 15 30 13 Requirement7:Restrictaccessto cardholderdatabybusinessneedtoknow 9 8 7 1 Requirement8:Identifyandauthenticate accesstosystemcomponents 22 15 30 7 Requirement9:Restrictphysicalaccessto cardholderdata 25 0 0 25 Requirement10:Trackandmonitorall accesstonetworkresourcesand cardholderdata 28 24 27 4 Requirement11:Regularlytestsecurity systemsandprocesses. 15 2 16 13 Requirement12:Maintainapolicythat addressesinformationsecurityforall personnel. RequirementA.1:Sharedhosting providersmustprotectthecardholderdata environment TOTAL Note:Controltotalsdonotaddupto409 duetooverlappingfeaturesofvmware productsandpartnerproducts 40 0 4 40 5 3 7 2 236 107 210 129 ( VMWARE'PRODUCT'APPLICABILITY'GUIDE'32' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877Z486Z9273Fax650Z427Z5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents. VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) VMwarePCIRequirementsMatrix(ByProductFamily) vcloud'infrastructure' ForthepurposesofthisVMwareProductApplicabilityGuideforPCI,theCloudInfrastructureproductfamilyincludes productsusedtodeliverthecorebuildingblocksforacloudcomputingenvironment.thefundamentalbuildingblocksfor thesoftwaredefineddatacenter(sddc)areprovidedbyvsphere(esxi,vcenterserver).vsphereprovidesthe foundationofthevirtualarchitectureallowingfortheoptimizationofhardwareitassets.vclouddirectorextendsthe foundationofthevspherevirtualarchitecturebyenablingorganizationstobuildsecurecloudsandoptimizingsecurityand complianceinprivate,multiztenant,mixedzmodeandhybridcloudmodels.asvclouddirectorleveragesthevsphere architecture,thevspherecomponentsintegratetocreateasinglecloudinfrastructurethatcanbeoptimizedforsecurity andcomplianceconsiderations.whilevsphereandvclouddirectorencompassmanyfeaturesforstorage,business continuity,andautomation,forthepurposesofthisguidethecriticalcomponentsthatapplytopciforcloudinfrastructure includethefollowing: ESXi ESXiisatype1hypervisor(baremetal)thatisthefundamentalbuildingblockforvirtualizing physicalcomputeresourcesforcloudcomputingmodels.esxiserversareclusteredwithinthevsphere construct,whichoffersmanyfeaturessuchasloadbalancingandhighavailability.theesxikernelhas asmallfootprint,noserviceconsoleandcanlimitcommunicationtovcenteraccessonly. vshieldendpoint:withintegrationofother3rdpartyendpointsolutions(suchasantizvirus),vshield EndpointimprovestheperformancebyoffloadingkeyantivirusandantiZmalwarefunctionstoasecured virtualmachineandeliminatingtheantivirusagentfootprintandscanningoverheadinvirtualmachines. vcenterserver vcenterserverisaserver(virtualorphysical)thatprovidesunifiedmanagementfor theentirevirtualinfrastructureandunlocksmanykeyvspherecapabilities.vcenterservercanmanage thousandsofvirtualmachinesacrossmultiplelocationsandstreamlinesadministrationwithfeatures suchasrapidprovisioningandautomatedpolicyenforcement. vclouddirector(vcd)zvcdpoolsdatacenterresourcesincludingcompute,storageandnetwork, alongwiththeirrelevantpoliciesintovirtualdatacenters.fullyencapsulatedmultiztiervirtualmachine servicesaredeliveredasvapps,usingtheopenvirtualizationformat(ovf).endusersandtheir associatedpoliciesarecapturedinorganizations.withprogrammaticandpolicyzbasedpoolingof infrastructure,usersandservices,vmwarevclouddirectorenforcespolicies,whichenablepcidatato besecurelyprotected,andnewvirtualmachinesandapplicationstobesecurelyprovisionedand maintained. VMWARE'PRODUCT'APPLICABILITY'GUIDE'33' VMware,(Inc.3401HillviewAvenuePaloAltoCA94304USATel877Z486Z9273Fax650Z427Z5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents. VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 34' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) ThefollowingproductmatrixexplainswhichPCIcontrolsareapplicabletoaVMwarevCloudInfrastructureandhowitmayhelptoenablePCIrequirements.Italso explainshowvcloudsuiteproductsmayassistinmeetingpcirequirements. Table4:ApplicabilityofPCIDSSv3.0ControlstovCloudInfrastructure PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION SegmentationOThough technicallynota requirement, segmentationprovidesa meanstoreducethepci environmentandis stronglyrecommended. N/A TheVMwarevCloudInfrastructurecanbeconfiguredtolimitaccesstotheCardholderDataEnvironment (CDE)throughavarietyofways.Byprovidingacentralizedinterface,vSphereClientandvCenterservers canreducethecdebyminimizingthenetworkmanagementandlimitingaccesstocriticalcomponentsin thecde.controllingandlimitingtheaccessandadministrativeabilitiesforusersmanagingavcloud environmentreducepciscope.thishelpstoprovidethetransparencyofdataflows,network communication,andconfigurationsettingsforcriticalcomponentswithinthecde.vclouddirectorand vcenterservercanbeusedtodemonstratethescopethatisbeingenforcedbyanalyzingandreporting dataflowsbetweenvariouscomponentsandnetworkdevices(suchasrelationshipsbetweendatabases, virtualappliances,vm s,hosts,etc).theesxihostisatype1hypervisor(baremetal)thatlimitsthe attackvectors.byreducingthecomplexitiesofthehypervisor,companiesandtheirauditorscanbetter understandtheriskstovirtualenvironments.forexample,thevsphereenvironmentallowsuserstolock downeachesxiserversothatitcanonlybeaccessedviathevcenterserver. Requirement1:Install andmaintainafirewall configurationtoprotect cardholderdata 1.1.2.a,1.1.2.b,1.1.3, 1.2.1.a,1.2.1.b, 1.2.1.c,1.4.a,1.4.b ThevCloudenvironmentenforcesacentralizedprocessthroughthevCenterServerthatcanbeusedto enforceformalprocessesformakingchangestothenetwork.vcenterserver,alongwithesxihost establishesandenforcescommunicationbetweenthevirtualmachinesatlayer2.thevsphere architecturetakesmanyfunctionsnormallyhandledbyphysicalswitchingappliancesandestablishes virtualswitches,distributedvirtualswitches(vds),portgroups,vlan s,managementinterfaces,etc. ThevCloudandvSpherearchitecturesallowsadministratorstoestablishformalprocessesforapproving networkchangesandprovidesmapsanddataflowsthatallowforgreatervisibilityintotherelationships betweenesxihosts,storage,virtualmachines,virtualswitches,virtualappliances,andvapps.the integrationofthevcloudnetworkingandsecurityedgegatewaywithvclouddirectorprovidescentral visibilityintoopenports,services,andprotocolsandisdesignedtoallowonlyapprovedtrafficintoandout ofthecardholderdataenvironment.

VMWARE'PRODUCT'APPLICABILITY' GUIDE' 35' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement2:Donot usevendorosupplied defaultsforsystem passwordsandother securityparameters 2.2.a,2.2.b,2.2.c, 2.2.d,2.2.1.a,2.2.1.b, 2.2.2.a,2.2.2.b,2.2.3, 2.2.4.b,2.2.4.c, 2.2.5.a,2.2.5.b, 2.2.5.c,2.3.a,2.3.b, 2.3.c,2.3.d,2.6 ChangingvendorOsupplieddefaultpasswordsisachallengeinlargedistributedenvironments.vCOcan automatetheprovisioningprocesstoprovidethatallcomponentsinthevsphereinfrastructurearebuiltto aknownsecuritybaselineandvendorsettingsarereoset.additionally,directaccesstocomponentscan bereduced(suchaslockodownmode)tominimizetheriskofanydirectconsoleorshellaccess.vumcan beusedtopushoutcriticalsecurityupdatesthatallowthelatestsecurityconfigurationstobeenforced. IntegratingintovSpherecomponentssuchasvUM,thevCloudDirectorenvironmentcanbeusedtopush outcriticalsecurityupdatestoenablethelatestsecurityconfigurationstobeenforced.hardening guidelineshavebeendevelopedspecificallyforthecloudenvironment(suchasthevmware vcloud Director1.5DIACAPImplementationPlan). vclouddirectorandvsphereprovidecentralizedviewstomakesurethatonlynecessaryportsand protocolsarebeingused.vcloudcanenforcestrongremoteaccesstocomponentsbyenforcingsecure remoteaccesssuchasssh,ipsecorssl,oritcanbeusedtodisabledirectaccessandforce administrationthroughcentralizedvsphereprocesses.forsharedhostingproviders,different administrativegroupscanbeenforcedtoprotecteachhostedentitythroughtheestablishmentofrbac, groups,datacenters,andotherpools. Requirement3:Protect storedcardholderdata 3.1.1.d,3.1.1.e,3.2.a, N/A vspherecanbeusedtoestablishandenforceautomatedproceduresdesignedtopreventvirtualmachines inthecdefrombeingretainedforlongerthanrequired.thisisachievedbyprovidingacentralized processfordeletingoldworkloadsandsnapshots.whenavirtualmachineorsnapshotisnolonger necessary,accesstothatsystemcanbepermanentlyrevoked. Requirement4:Encrypt transmissionofcardholder dataacrossopen,public networks N/A N/A Requirement5:Protect allsystemsagainst malwareandregularly updateantiovirussoftware orprograms 5.1,5.1.1,5.2.a,5.2.b, 5.2.c,5.2.d,5.3.a, 5.3.b,5.3.c vshieldendpointoffloadsantivirusandantiomalwareagentprocessingtoadedicatedsecurevirtual appliancedeliveredbyvmwarepartners.itisdesignedtoleverageexistingendpointinvestmentsby allowingorganizationstomanageantivirusandantiomalwarepoliciesforvirtualizedenvironmentswiththe samemanagementinterfacestheyusetosecurephysicalenvironments.itestablishesanapi,which allowsfortheintegrationofthirdpartyantiovirussolutions.thesesolutionscanrununiqueendpoint operationssuchasconductingantiovirusscanningforsystemsthatareofflineoragentlessantiovirus. EndpointprovidesacentralizedsolutionthatallowstheusertoverifythatantiOvirusisinstalledonall applicablehosts,activelyrunning,andlogging.

VMWARE'PRODUCT'APPLICABILITY' GUIDE' 36' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement6:Develop andmaintainsecure systemsandapplications 6.1.a,6.1.b,6.2.a, 6.2.b,6.4,6.4.1.a, 6.4.1.b,6.4.2,6.4.4.a, 6.4.4.b,6.4.5.a, 6.4.5.1,6.4.5.2, 6.4.5.3.a,6.4.5.3.b, 6.4.5.4 vsphereprovidesvisibilityintoseparatetestanddevelopmentnetworksandusers,andcanbeusedso thataccessbetweenthedevelopmentandproductsnetworksdonotusesimilarnetworksoradministrative accountsforvirtualcomponents. Requirement7:Restrict accesstocardholderdata bybusinessneedtoknow 7.1,7.1.1,7.1.2.a, 7.1.2.b,7.1.3,7.1.4, 7.2.1,7.2.2,7.2.3 vcloudandvspherehavebuiltinaccesscontrolsystemsinplacesothateachvirtualcomponentcanonly beaccessedbyauthorizedusers.systemscanbeaccesseddirectlywithlocalaccounts,orcanbe managedcentrallythrougharolebasedaccesscontrolsystemsenforcedbyvsphereandintegratedinto centralizedaccesscontrolsystem. Requirement8:Identify andauthenticateaccess tosystemcomponents 8.1.a,8.1.1,8.1.2, 8.1.3.a,8.1.4,8.1.5.a, 8.1.5.b,8.1.6.a,8.1.7, 8.1.8,8.2,8.2.1.a, 8.2.1.b,8.2.1.c, 8.2.1.e,8.2.3.a, 8.2.3.b,8.2.4.a, 8.2.4.b,8.2.5.a,8.2.6, 8.5.a,8.5.b,8.6.a, 8.6.c AllaccesstovirtualdeviceswithinthevCloudandvSphereenvironmentcanenforceindividualaccess. Minimumusernamesandpasswordrequirementscanbesetonmanysystemsnatively(suchastheESXi host).othervirtualcomponentscanbeconfiguredtousecentralizedauthenticationservers(suchas ActiveDirectory)whichcanenforceadditionalcontrolsforpasswordrotation,lockout,durationetc. Requirement9:Restrict physicalaccessto cardholderdata N/A N/A Requirement10:Track andmonitorallaccessto networkresourcesand cardholderdata 10.1,10.2.1,10.2.2, 10.2.3,10.2.4, 10.2.5.a,10.2.5.b, 10.2.5.c,10.2.6, 10.2.7,10.3.1,10.3.2, 10.3.3,10.3.4,10.3.5, 10.3.6,10.4,10.4.1.a, 10.4.1.b,10.4.2.a, 10.4.2.b,10.4.3, 10.5.1,10.5.2,10.5.3, 10.5.4,10.7.a,10.7.b, 10.7.c vcloudandvspherehastheabilitytologaccesstocomponentswithintheenvironment.individualaccess tocomponentscanbetracked,logged,andenforced.audittrailscancaptureevent,time,action,and othercriticalrequirementsthatarerequiredformonitoring.logscanbecentrallyconsolidated,reviewed, andretainedforanalysis.allsystemscanbeconfiguredwithtimesynchronization,normallybyenforcing primaryandsecondaryntpserversinthecloudenvironment. Requirement11: Regularlytestsecurity systemsandprocesses. N/A N/A

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT Requirement12: Maintainapolicythat addressesinformation securityforallpersonnel. RequirementA.1:Shared hostingprovidersmust protectthecardholder dataenvironment. CONTROLS ADDRESSED N/A A.1.1,A.1.2.a,A.1.2.b, A.1.2.c,A.1.2.d, A.1.2.e,A.1.3 DESCRIPTION N/A. vspherehastheabilitytologaccesstocomponentswithinthevsphereenvironment.individualaccessto componentscanbetracked,logged,andenforced.audittrailscancaptureevent,time,action,andother criticalrequirementsthatarerequiredformonitoring.logscanbecentrallyconsolidated,reviewed,and retainedforanalysis.allsystemscanbeconfiguredwithtimesynchronization,normallybyenforcing primaryandsecondaryntpserversinthevsphereenvironment. ChangingvendorOsupplieddefaultpasswordsisachallengeinlargedistributedenvironments.vCloud Directorcanautomatetheprovisioningprocesssothatallcomponentsinthecloudinfrastructurearebuilt toaknownsecuritybaselineandvendorsettingsarereoset.additionally,directaccesstocomponentscan bereduced(suchaslockodownmode)tominimizetheriskofanydirectconsoleorshellaccess. HardeningguidelineshavebeendevelopedspecificallyfortheCloudenvironment(suchastheVMware vclouddirector1.5diacapimplementationplan).vcdprovideacentralizedviewdesignedtoconfirm thatonlynecessaryportsandprotocolsarebeingused.vcloudarchitecturescanenforcestrongremote accesstocomponentsbyenforcingsecureremoteaccesssuchassshorssl,oritcanbeusedto disabledirectaccessandforceadministrationthroughcentralizedprocesses.forsharedhosting providers,differentadministrativegroupscanbeenforcedtoprotecteachhostedentitythroughthe establishmentofrbac,groups,datacenters,andotherpools. VMWARE'PRODUCT'APPLICABILITY' GUIDE' 37' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) vcloud'networking'and'security' InordertoprovidemultiMtenancythroughsegmentationandotheradvancednetworkingfeaturesvCloudDirectoristightly integratedwithvcloudnetworkingandsecurityedgegateway.allofthethevcloudnetworkingandsecurityproducts provideasoftwarembasedapproachtoapplicationanddatasecurityinvirtualandcloudenvironments,whichhave traditionallybeenenforcedprimarilythroughphysicalsecurityappliances.whilevcloudnetworkingandsecurityappand DataSecurityarenotintegrateddirectlywithvCloudDirectortheyarevaluabletoolsformeetingcomplianceinaPrivate CloudUseCasesuchastheonedetailedinthisdocument.ThefollowingaretheVMwarevCloudNetworkingandSecurity products: App ProtectsapplicationsinavirtualdatacenteragainstnetworkMbasedthreatsbyprovidingafirewallthatis hypervisormbasedandapplicationmaware.vcloudnetworkingandsecurityapphasvisibilityofintramvm communication,andenforcespolicies,firewallrulesbasedonlogicalgroups,andworkloads. DataSecurity ScansforSensitiveDataDiscoveryacrossvirtualizedresourcesallowingtheorganizationstoidentifyand securedifferenttypesofsensitivedata.forpci,itprovidesawaytosearchvirtualmachinedatafiles (dataatrest)forcardholderdataorothersensitiveinformationmatchingknownpatternsinorderto identifyhostsandunauthorizeddatastoresnotcurrentlyunderacardholderdataenvironmentpolicy. EdgeGateway Enhancesprotectionofavirtualdatacenterperimeterbyprovidinggatewaysecurityservicesincluding carefulinspectionfirewall,sitemtomsitevpn,loadbalancing,dynamichostconfigurationprotocol (DHCP),andNetworkAddressTranslation(NAT).ItalsohastheabilitytointegratewiththirdMpartyIDS solutions. Manager ManagerorchestratestheworkingofalltheaboveMmentionedproductsandensuresintegrationwith vcenterandthevmwaremanagementportfolio. VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 38' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 39' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) ThefollowingproductmatrixexplainswhichPCIcontrolsareapplicabletoVMwarevCloudNetworkingandSecurity.ItalsoexplainshowvCloudNetworkingand SecuritySuiteproductsmayassistinmeetingPCIrequirements. Table5:ApplicabilityofPCIDSSv3.0ControlstoCloudNetworkingandSecurity PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION SegmentationPWhile technicallynota requirement, segmentationprovidesa meanstoreducetherisk toapcienvironment andisstrongly recommended. N/A vcloudnetworkingandsecuritycanprovidesegmentationforvcloudenvironmentsbysegmenting virtualmachines,portgroups,andenforcingperimetersecurity.edgegatewayprovidesgateway securityservicesincludingastatefulinspectionfirewallandnatwhichprotectsthenetworkfromtraffic intoandoutofthevirtualizedinfrastructure.inordertoeffectivelysharevcloudinfrastructureresources eachprovisionedtenanthastheabilitytomanagetheirownedgegatewaythroughvclouddirectoruser interface.appprovidesvisibilityandcontrolforintrapvmcommunication.datasecuritycanbeusedto proactivelysearchandidentifystoresofcreditcarddataandgatherdatatovalidatethecardholderdata Environmentscope. Requirement1:Install andmaintainafirewall configurationtoprotect cardholderdata 1.1.1.a,1.1.1.b,1.1.1.c, 1.1.2.a,1.1.2.b,1.1.3, 1.1.4.a,1.1.4.c, 1.1.5.a,1.1.5.b,1.1.6.a, 1.1.6.b,1.1.6.c,1.2.1.a, 1.2.1.b,1.2.1.c,1.2.3.a, 1.2.3.b,1.3.1,1.3.2, 1.3.3,1.3.4,1.3.5, 1.3.6,1.3.7,1.3.8.a, 1.3.8.b vcloudnetworkingandsecuritymanagerprovidescentralizedmanagementandcanbeusedtoenforce theapprovalprocessforchangestonetworkconnections.edgegatewayandappcancontrolhow cardholderdataflowsoveranetwork,anddatasecuritycanbeusedtomonitorthatthosecontrolsare operatingeffectivelyasboundariestothecde.rolesandresponsibilitiesformanagementcanbe enforcedanddefinedinmanagerandintegratedintootherrbacsolutions.edgegatewaycanbeused asafirewalltoseparatewirelessnetworksfromthevirtualinfrastructure.bothedgegatewayandapp performstatefulinspection(dynamicfiltering).appandedgegatewayalsosupportcommentfields, whichcanusedtodocumentthejustificationforeveryopenportandservice.managercanbeusedto viewcurrentconfigurationsandallowanadministratortocompareittoanapprovedconfiguration]this facilitatesconfirmationthatrunningconfigurationsfilesforappandedgegatewayaresecuredand matchtheapprovedconfigurations. Requirement2:Donot usevendorpsupplied defaultsforsystem passwordsandother securityparameters 2.2.2.a,2.2.2.b,2.2.3, 2.2.4.b,2.2.4.c,2.2.5.b, 2.2.5.c,2.3.a,2.3.b, 2.3.c,2.3.d,2.6 vcloudnetworkingandsecurityhaspublishedhardeningguidelines,installationguidelines, configurationguidance,and/orotherimplementationprocedureswhichenableorganizationstoascertain thattheyhavedeployedapp,edgegateway,manager,anddatasecurityinasecuredmanner.vcloud NetworkingandSecuritysupportssecuredremoteaccess(SSHandSSL).Anadministratorpassword forvcloudnetworkingandsecuritymanagerappliancemustbesetatinstalltime.theremoteshellfor themanagerapplianceiscustomanddoesnotexposetheunderlyinglinuxfilesystemorcommands. Requirement3:Protect storedcardholderdata 3.1.a,3.1.c,3.2.a, 3.2.b,3.2.1,3.2.2, 3.2.3,3.3.a,3.3.b, 3.3.c,3.4.a,3.4.b,3.4.d vcloudnetworkingandsecuritydatasecuritycanprogrammaticallyidentifystoredcardholderdatathat exceedsbusinessrequirementsordataretentionpolicies.forexample,ifasystemisscannedand PrimaryAccountNumbers(PAN)areidentified,rulescanbeestablishedwhichmovetheVMtothePCI CDEortoquarantineareaforfurtherreview.Itcanalsobeusedtoverifythatcardholderdataisnot storedinviolationoftheorganizationpolicies.inadditiontopansearches,itcanbeusedtosearchfor andidentifysensitiveauthenticationdatafororganizationsthatneedtostoresensitiveauthentication data(suchasissuers)orotherpersonallyidentifiableinformation(pii).

DEPLOYMENT'AND'TECHNICAL'CONSIDERATIONS'GUIDE'' 40' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement4:Encrypt transmissionof cardholderdataacross open,publicnetworks 4.1.a,4.1.b,4.1.c, 4.1.d,4.1.e,4.1.f,4.1.g vcloudnetworkingandsecurityedgegatewaycanbeusedtosecuredatatransmittedoveropenppublic networksbyestablishingipsecvpn sbetweendatacenterswhichareconnectedoverpublicnetworks. IthascompatibilitywithmainstreamhardwareVPNdevicesconnectingviaIKEprotocol.vCloud NetworkingandSecurityEdgeGatewayalsoprovidesSSLPVPNconnectivityprotectingURLsorwitha statefulclientsideinstallpackageforwindowsormac. Requirement5:Protect allsystemsagainst malwareandregularly updateantipvirus softwareorprograms N/A NA Requirement6:Develop andmaintainsecure systemsandapplications 6.3.2.a,6.4,6.4.1.a, 6.4.1.b,6.4.2,6.4.3.a, 6.4.3.b,6.4.4.a,6.4.4.b, 6.5.1,6.5.2,6.5.3.a, 6.5.3.b,6.5.4,6.6 ThevCloudNetworkingandSecuritySuitecanbeutilizedtodeterminethattest,development,and productionsystemsareproperlysegmentedandarenotusinglivepandatathroughtheuseofappwith DataSecurity. Requirement7:Restrict accesstocardholder databybusinessneedto know 7.1.1,7.1.2.a,7.1.2.b, 7.1.3,7.1.4,7.2.1, 7.2.2,7.2.3 vcloudnetworkingandsecuritysupportsauthenticationbasedonjobclassificationandfunction (RBAC),andcanbeconfiguredtorequirethatonlytheappropriateadministratorsandsupportpersonnel haveaccesstovcloudnetworkingandsecuritycomponentsandoperations.managerprovidesa centralizedsolutiontomanageandenforcesecurityprofilesacrossalargedistributedenvironment. Requirement8:Identify andauthenticateaccess tosystemcomponents 8.1.a,8.1.1,8.1.2, 8.1.3.a,8.1.4,8.1.5.a, 8.1.5.b,8.1.6.a,8.1.7, 8.1.8,8.2,8.2.1.a, 8.2.1.b,8.2.1.c,8.2.1.e, 8.2.3.a,8.2.3.b,8.2.4.a, 8.2.4.b,8.2.5.a,8.2.6, 8.5.a,8.5.b,8.6.a,8.6.c ThevCloudNetworkingandSecuritySuitealongwithManagercanbeconfiguredtosupportcentralized authenticationsolutionsthroughvcenterwhichcanenforceuniqueid s,passwords,resetautomatically forfirstptimelogpins,automaticallydisablesoldaccounts,minimumlength,complexity,repuse,lockout attempts,lockoutdurations,andsessionidletime. Requirement9:Restrict physicalaccessto cardholderdata N/A N/A Requirement10:Track andmonitorallaccessto networkresourcesand cardholderdata 10.1,10.2.1,10.2.2, 10.2.3,10.2.4,10.2.5.a, 10.2.5.b,10.2.5.c, 10.2.6,10.2.7,10.3.1, 10.3.2,10.3.3,10.3.4, 10.3.5,10.3.6,10.4, 10.4.1.a,10.4.1.b, 10.4.2.a,10.4.2.b, 10.4.3,10.5.1,10.5.2, 10.5.3,10.5.4,10.5.5, vcloudnetworkingandsecurityappandedgegatewayhavetheabilitytologaccesstocomponents withinthevirtualenvironmentusingsyslog.individualaccesstocomponentscanbetracked,logged, andenforced.audittrailscancaptureevent,time,action,andothercriticalrequirementsrequiredfor monitoring.logscanbecentrallyconsolidated,reviewed,andretainedforanalysis.allsystemscanbe configuredwithtimesynchronization,normallybyenforcingprimaryandsecondaryntpserversinthe vsphereenvironment.

PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT Requirement11: Regularlytestsecurity systemsandprocesses. Requirement12: Maintainapolicythat addressesinformation securityforallpersonnel. RequirementA.1: Sharedhostingproviders mustprotectthe cardholderdata environment. ' ' ' ' ' ' ' ' ' ' CONTROLS ADDRESSED 10.7.a,10.7.b,10.7.c 11.4.a,11.4.b,11.4.c 11.4.a,11.4.b,11.4.c N/A. A.1.1,A.1.2.a,A.1.2.b, A.1.2.c,A.1.2.d, A.1.2.e,A.1.3. ' DESCRIPTION vcloudnetworkingandsecurityedgegatewaycanbeintegratedintothirdpartyforintrusiondetection SystemsandIntrusionPreventionSystems(IDS/IPS). N/A. vcloudnetworkingandsecurityhaspublishedhardeningguidelines,installationguidelines, configurationguidance,and/orotherimplementationprocedureswhichenableorganizationstoconfirm thattheyhavedeployedapp,edgegateway,manager,anddatasecurityinasecuredmanner.vcloud NetworkingandSecuritysupportssecuredremoteaccess(SSHandSSL). DEPLOYMENT'AND'TECHNICAL'CONSIDERATIONS'GUIDE'' 41' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

NSX' SoftwareDefinedNetworking(SDN)andNetworkFunctionVirtualization(NFV)aretwoareas,whicharecriticalinallowingforincreasedagilityintheconsumption ofphysicalresourceswithinherentgainsinpolicybasedmanagementofnetworks.vmware'sentryintothismarketisnsxwhich,muchlikeesxi,enablesitto treatphysicalhostsasapoolofcomputecapacity.thensxapproachallowsittotreatitsphysicalnetworkasapooloftransportcapacitythatcanbeconsumed andrepurposedondemand.avirtualmachineisasoftwarecontainerthatpresentslogicalcpu,memoryandstoragetoanapplication.similarly,avirtualnetwork isasoftwarecontainerthatpresentslogicalnetworkcomponents logicalswitches,logicalrouters,logicalfirewalls,logicalloadbalancers,logicalvpnsandmore toconnectedworkloads. LeveragingNSX,logicalnetworksareprogrammaticallycreated,provisionedandmanaged,utilizingtheunderlyingphysicalnetworkasasimplepacketPforwarding backplane.networkandsecurityservicesaredistributedandattachedtovmswithinanetwork.asavmismovedtoanotherhost,theseservicesstayattachedto thevmandmovewithit.inaddition,asnewvmsareaddedtoanetworktoscaleanapplication,policycanbedynamicallyappliedtothenewvms.nsxalso reducesthetimeittakestoprovisioncustom,multiptiernetworktopologiesandenterpriseclasssecurityservicesandreducescostsbyeliminatingmanual configurations. NSXpoliciesforfirewallandotherthirdpartysolutionsareenabledformanagementwithNSXServiceComposer.ServiceComposernotonlyallowsyouto managegroupsofsecuritypolicypbasedobjectsbutalsowhichvirtualmachinemetadatatagswillbeutilizedtodeterminewhichofthepoliciesshouldbeapplied. ServiceComposeralsoallowsformanagingthereadinessofVMwareTechnologyPartnersolutionsthatleveragetheNSXAPIforimplementingsecurityservices intheesxihypervisorkernel. LogicalSwitching ThelogicalswitchingcapabilityintheNSXplatformprovidescustomerstheabilitytospinupisolatedlogicalL2networkswiththesameflexibility andagility,asitistospinupvirtualmachines.therearefourmaincomponentsthathelpdecoupletheunderlyingphysicalnetworkfabricand provideavirtualnetworkabstractionlayer,nsxmanager,controllercluster,userworldagentandvxlantunnelendpoint. LogicalRouting TherearetwomodesofroutingsupportedintheNSXplatform:DistributedRoutingandCentralizedRouting.TheDistributedRoutingcapability inthensxplatform(anesxikernelmodule)providesanoptimizedandscalablewayofhandlingeastpwesttrafficwithinadatacenter. CentralizedLogicalRouting,typicallyusedforNorthPSouthtraffictoandfromtheCloudInfrastructure,isperformedbytheNSXEdge(avirtual appliance).alongwiththeroutingservicesnsxedgealsosupportsothernetworkservicesthatincludedhcp,nat,loadbalancingandvpn LogicalFirewall TheVMwareNSXplatformincludesdistributedkernelenabledfirewallingwithlinerateperformance,virtualizationandidentityawarewithactivity monitoring,amongothernetworksecurityfeaturesnativetonetworkvirtualizationsuchasnetworkisolationandsegmentation. ServiceComposer NSXServiceComposeroffersawaytoautomatetheconsumptionofservicesandtheirmappingtovirtualmachinesusinglogicalpolicy. Customerscanassignpoliciestogroupsofvirtualmachinesandasmorevirtualmachinesareaddedtothegroup,thepolicyisautomatically appliedtothevirtualmachine.customerscanbuildadvancedworkflowsautomatingsecurity,complianceandnetworkprovisioningincluding loadbalancingandfirewallrules. DEPLOYMENT'AND'TECHNICAL'CONSIDERATIONS'GUIDE'' 42' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 43' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) ThefollowingproductmatrixexplainswhichPCIcontrolsareapplicabletoVMwareNSX.ItalsoexplainshowNSXproductsmayassistinmeetingPCI requirements. Table6:ApplicabilityofPCIDSSv3.0ControlstoNetworkingandSecurityVirtualization PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION SegmentationPWhile technicallynota requirement, segmentationprovidesa meanstoreducetherisk toapcienvironment andisstrongly recommended. N/A NSXcanprovidesegmentationforvCloudenvironmentsbysegmentingvirtualmachines,portgroups, andenforcingperimetersecurity.nsxedgeprovidesgatewaysecurityservicesincludingastateful inspectionfirewallandnatthatprotectsthenetworkfromtrafficintoandoutofthevirtualized infrastructure.inordertoeffectivelysharevcloudinfrastructureresourceseachprovisionedtenanthas theabilitytomanagetheirownnsxedgethroughvclouddirectoruserinterface.nsxdistributed FirewallprovidesvisibilityandcontrolforintraPVMcommunication.DataSecuritycanbeusedto proactivelysearchandidentifystoresofcreditcarddataandgatherdatatovalidatethecardholderdata Environmentscope. NSXallowsforsegmentationofsystemsusingsecuritygroups.Virtualmachinescanbeplacedwithin differentsecuritygroupswhichcanbesegmentedusingvirtualappliancessuchasswitches,gateways, firewallsloadbalancersandvpns. Requirement1:Install andmaintainafirewall configurationtoprotect cardholderdata 1.1.1.a,1.1.1.b,1.1.1.c, 1.1.2.a,1.1.2.b,1.1.3, 1.1.4.a,1.1.4.c, 1.1.5.a,1.1.5.b,1.1.6.a, 1.1.6.b,1.1.6.c,1.2.1.a, 1.2.1.b,1.2.1.c,1.2.3.a, 1.2.3.b,1.3.1,1.3.2, 1.3.3,1.3.4,1.3.5, 1.3.6,1.3.7,1.3.8.a, 1.3.8.b NSXManagerprovidescentralizedmanagementandcanbeusedtoenforcetheapprovalprocessfor changestonetworkconnections.nsxedgeanddistributedfirewallcancontrolhowcardholderdata flowsoveranetwork,anddatasecuritycanbeusedtomonitorthatthosecontrolsareoperating effectivelyasboundariestothecde.rolesandresponsibilitiesformanagementcanbeenforcedand definedinmanagerandintegratedintootherrbacsolutions.edgecanbeusedasafirewallto separatewirelessnetworksfromthevirtualinfrastructure.bothedgefirewallanddistributedfirewall performstatefulinspection(dynamicfilteringandalsosupportcommentfields,whichcanusedto documentthejustificationforeveryopenportandservice.managercanbeusedtoviewcurrent configurationsandallowanadministratortocompareittoanapprovedconfiguration]thisfacilitates confirmationthatrunningconfigurationfilesfornsxaresecuredandmatchtheapprovedconfigurations. VirtualMachineswithintheNSXenvelopecanbegivensecuritygroups,whichcanthenbeputbehind virtualfirewallappliances.thesevirtualfirewallscanhaverulesthatdefineaccesstomachinesincluding denyingandallowingaccesstocertainportsaccessthroughstatefulinspection.trafficbetweensecurity groupscanalsoberoutedthroughthesetocreatedmzs,anddifferinglevelsofsecuritybasedonneed. Requirement2:Donot usevendorpsupplied defaultsforsystem passwordsandother securityparameters 2.2.2.a,2.2.2.b,2.2.3, 2.2.4.b,2.2.4.c,2.2.5.b, 2.2.5.c,2.3.a,2.3.b, 2.3.c,2.3.d,2.4,2.6 NSXhaspublishedinstallationguidelines,configurationguidance,and/orotherimplementation proceduresthatenableorganizationstoascertainthattheyhavedeployednsxcomponentsina securedmanner.nsxmanagersupportssecuredremoteaccess(sshandssl)andanadministrator passwordfortheappliancemustbesetatinstalltime.theremoteshellforthemanagerapplianceis customanddoesnotexposetheunderlyinglinuxfilesystemorcommands.nsxedgeanddistributed FirewallcanisolateCDEapplicationsfromtherestoftheenvironmentexposingonlynetwork connectivitytopcirelatedprocessesanddisallowinginsecureorunnecessaryserviceswithinthecde.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 44' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement3:Protect storedcardholderdata 3.1.a,3.1.c,3.2.a, 3.2.b,3.2.1,3.2.2, 3.2.3,3.3.a,3.3.b, 3.3.c,3.4.a,3.4.b,3.4.d NSXDataSecuritycanprogrammaticallyidentifystoredcardholderdatathatexceedsbusiness requirementsordataretentionpolicies.forexample,ifasystemisscannedandprimaryaccount Numbers(PAN)areidentified,rulescanbeestablishedwhichmovetheVMtothePCICDEorto quarantineareaforfurtherreview.itcanalsobeusedtoverifythatcardholderdataisnotstoredin violationoftheorganizationpolicies.inadditiontopansearches,itcanbeusedtosearchforand identifysensitiveauthenticationdatafororganizationsthatneedtostoresensitiveauthenticationdata (suchasissuers)orotherpersonallyidentifiableinformation(pii).nsxidentitybasedfirewallrulescan enforceaccesstocdenetworksandapplicationswithanactivedirectoryrbacschemeenforcinguser sessiontogroupmembershippreventingaccesstopanorpiidatathatmaybestoredinthetarget workloadbythoseotherthanthosewithcentrallymanagedgroupmembership. Requirement4:Encrypt transmissionof cardholderdataacross open,publicnetworks 4.1.a,4.1.b,4.1.c, 4.1.d,4.1.e,4.1.f,4.1.g NSXEdgecanbeusedtosecuredatatransmittedoveropenPpublicnetworksbyestablishingIPsec VPN sbetweendatacentersthatareconnectedoverpublicnetworks.ithascompatibilitywith mainstreamhardwarevpndevicesconnectingviaikeprotocol.nsxedgealsoprovidessslpvpn connectivityprotectingurlsorwithastatefulclientsideinstallpackageforwindowsormac. NSXallowsforcompaniestoconnectseveraldifferentdatacenterswithVPNs,thereforesecuring cardholderdataasittravelsbetweenphysicalsites. Requirement5:Protect allsystemsagainst malwareandregularly updateantipvirus softwareorprograms 5.1,5.1.1.,5.2.a,5.2.b, 5.2.c,5.2.d NSXdoesnotprovideantiPvirusorantiPmalwarecapabilitiesbutdoeshavereadinessmonitoringofNSX partnerenabledsolutionsforthesecategoriesofsolutionsviansxservicecomposerandassociated integrationapiloggingfacilities. Requirement6:Develop andmaintainsecure systemsandapplications 6.3.2.a,6.4,6.4.1.a, 6.4.1.b,6.4.2,6.4.3.a, 6.4.3.b,6.4.4.a,6.4.4.b, 6.5.1,6.5.2,6.5.3.a, 6.5.3.b,6.5.4,6.6 NSXcanbeutilizedtodeterminethattest,development,andproductionsystemsareproperly segmentedandarenotusinglivepandatathroughtheuseofnsxdatasecurityanddistributed Firewallrules.NSXAPIsareusedbyVMwareTechnologyPartnerstoscanforguestOSvulnerabilities byexposingguestfilesystemsandwindowsregistriesforcomparisonagainstknownthreats.nsxapis alsosupportintegrationofvmwaretechnologypartnerwebapplicationfirewallstodetectmalicious payloadsoverthevirtualnetworksattachedtocdeworkloads. NSXServiceComposerprovidesforthedevelopmentofFirewallandotherVMwareTechnologyPartner policies.thesecanbeappliedacrossthesddcenablingcentralconfigurationmanagementofpolicies thatdirecttheruntimesecuritycomponentsofthesddc.thesepoliciescanbedynamic(appliedto SecurityGroups)andsupportinclusionofworkloadsbasedonmetadatacriteriathatareactivelyqueried andcanbesetorconsumedbyanynsxapiintegratedvmwareortechnologypartnersolutionwith rulesthatdeterminewheneachpolicysetwillbeappliedorrelieved.thesepoliciescanintegratewith othernsxtechnologiessuchasdatasecuritytoquarantineorapplyappropriatefirewallrulesto discoveredworkloadstobebroughtundercdemanagedpolicy.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 45' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement7:Restrict accesstocardholder databybusinessneedto know 7.1.1,7.1.2.a,7.1.2.b, 7.1.3,7.1.4,7.2.1, 7.2.2,7.2.3 NSXsupportsauthenticationbasedonjobclassificationandfunction(RBAC),andcanbeconfiguredto requirethatonlytheappropriateadministratorsandsupportpersonnelhaveaccesstonsxcomponents andoperations.managerprovidesacentralizedsolutiontomanageandenforcesecurityprofilesacross alargedistributedenvironment. NSXIdentityBasedFirewallrulescanenforceaccesstoCDEnetworksandapplicationswithanActive DirectoryRBACschemeenforcingUsersessiontoGroupMembershipbasisthatsupportsabusiness needtoknowpolicy. Requirement8:Identify andauthenticateaccess tosystemcomponents 8.1.a,8.1.1,8.1.2, 8.1.3.a,8.1.4,8.1.5.a, 8.1.5.b,8.1.6.a,8.1.7, 8.1.8,8.2,8.2.1.a, 8.2.1.b,8.2.1.c,8.2.1.e, 8.2.3.a,8.2.3.b,8.2.4.a, 8.2.4.b,8.2.5.a,8.2.6, 8.5.a,8.5.b,8.6.a,8.6.c NSXManagercanbeconfiguredtosupportcentralizedauthenticationsolutionsthroughvCenterwhich canenforceuniqueid s,passwords,resetautomaticallyforfirstptimelogpins,automaticallydisablesold accounts,minimumlength,complexity,repuse,lockoutattempts,lockoutdurations,andsessionidle time. Requirement9:Restrict physicalaccessto cardholderdata N/A N/A Requirement10:Track andmonitorallaccessto networkresourcesand cardholderdata 10.1,10.2.1,10.2.2, 10.2.3,10.2.4,10.2.5.a, 10.2.5.b,10.2.5.c, 10.2.6,10.2.7,10.3.1, 10.3.2,10.3.3,10.3.4, 10.3.5,10.3.6,10.4, 10.4.1.a,10.4.1.b, 10.4.2.a,10.4.2.b, 10.4.3,10.5.1,10.5.2, 10.5.3,10.5.4,10.5.5, 10.7.a,10.7.b,10.7.c NSXEdgeandDistributedFirewallhavetheabilitytologaccesstocomponentswithinthevirtual environmentusingsyslog.individualaccesstocomponentscanbetracked,logged,andenforced. Audittrailscancaptureevent,time,action,andothercriticalrequirementsrequiredformonitoring.Logs canbecentrallyconsolidated,reviewed,andretainedforanalysis.allsystemscanbeconfiguredwith timesynchronization,normallybyenforcingprimaryandsecondaryntpserversinthevsphere environment. NSXActivityMonitoringprovidesanindepthlogtrailofcomputernames,usersessionIDsintheformof ActiveDirectorySecurityprincipalsandgroupmembershipinthecaseofIdentityFirewallrulesalong withothertraditionalnetworktuples(sourceip,destinationip,tcpport/protocol).thisdatasource providesthedatanecessarytovalidateagainstassertedpoliciesinathirdpartysiemsolution. Requirement11: Regularlytestsecurity systemsandprocesses. 11.4.a,11.4.b,11.4.c 11.4.a,11.4.b,11.4.c NSXEdgecanbeintegratedintothirdpartyforIntrusionDetectionSystemsandIntrusionPrevention Systems(IDS/IPS).NSXAPIsareusedbyVMwareTechnologyPartnerstoscanforguestOS vulnerabilitiesbyexposingguestfilesystemsandwindowsregistriesforcomparisonagainstknown threats.nsxapisalsosupportintegrationofvmwaretechnologypartnerwebapplicationfirewallsto detectmaliciouspayloadsoverthevirtualnetworksattachedtocdeworkloads. Requirement12: Maintainapolicythat addressesinformation securityforallpersonnel. N/A. N/A.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT RequirementA.1: Sharedhostingproviders mustprotectthe cardholderdata environment. CONTROLS ADDRESSED A.1.1,A.1.2.a,A.1.2.b, A.1.2.c,A.1.2.d, A.1.2.e,A.1.3. DESCRIPTION NSXhaspublishedhardeningguidelines,installationguidelines,configurationguidance,and/orother implementationproceduresthatenableorganizationstoconfirmthattheyhavedeployednsx componentsinasecuredmanner.nsxsupportssecuredremoteaccess(sshandssl). NSXsupportsisolationofmultipletenantsortrustzones(CDEandnonPCDE)inahostingprovider environment. VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 46' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Infrastructure'Management# TheCloudInfrastructureManagementproductsenableITorganizationstogainbettervisibilityandactionableintelligence toproactivelyfacilitateservicelevels,optimumresourceusage,andconfigurationcomplianceindynamicvirtualandcloud environments.whileallofthevmwareproductslistedpriortothispointareleveragedinthebuildingofsecure,compliant SDDCsandCloudInfrastructures,theproductsinthissectionareformanagementofthosecomponentsbeyondtheir suppliedmanagementinterfaces.productsinthecloudinfrastructuremanagementsolutionareagenerallyleveragethe sameapisthatthemanagementinterfacesofthecloudinfrastructuresolutionsarebuilton,buttendtodosofromamore lifecycleorientedapproachwheretheentireinfrastructureisconcerned.somedothisbycollectingdataacrossdisparate layersofcloudinfrastructure,cloudnetworkingandsecurityaswellasendusercomputinginordertoportrayamore holisticdashboardofinformationrelativeacrossthosedecoupledyetinterdependentfacetsofvmwaretechnologies.still otherdothisbyexposingapisfromthedisparatelayersintocoarselygrainedworkflowsthatcanbeofferedtobusiness users. vcenteroperationsmanager(vcops) Usespatentedanalyticsandintegratedapproachto operationsmanagementinordertoprovidetheintelligenceandvisibilityrequiredtoproactivelymaintain servicelevels,optimumresourceusage,andconfigurationcomplianceindynamicvirtualandcloud environments. vcenterconfigurationmanager(vcm) Automatesconfigurationmanagementacrossvirtualand physicalserversanddesktops,increasingefficiencybyeliminatingmanual,erroruprone,andtimeu consumingwork.thisenablesenterprisestomaintaincontinuouscompliancebydetectingchangesand comparingthemtoconfigurationandsecuritypolicies. vcenterinfrastructurenavigator Automaticallydiscoversandvisualizesapplicationand infrastructuredependencies.itprovidesvisibilityintotheapplicationservicesrunningoverthevirtualu machineinfrastructureandtheirinterrelationshipsfordayutoudayoperationalmanagement vcenterupdatemanager(vum) Automatestracking,patchingandupdatingforvSpherehosts(ESXi hostsandclusters),vmtools,andvmwarevirtualappliances.itprovidesacentralized,automated, actionablepatchcompliancemanagementsolutiontoconfirmthatapplicablevmwarecomponentsare updatedandtoenforcethelatestsecuritypatches. vcenterorchestrator(vco) AvirtualappliancethatautomatestasksforVMwareproductsand enablesorchestrationbetweenmultiplesolutions.vmwarevcenterorchestratorallowsadministratorsto automaticallycreateworkflowsthatcapturebestpractices,whichaidinmeasuringcompliance. vcloudautomationcenter - Isutilizedtoprovidedeliveryandmanagementofinfrastructureand applicationsandservicesthroughtheuseofexistingvmwaretoolsandinfrastructure.applicationscan bedeployedandprovisionedtoendusersthroughtheuseofvcac.additionally,vcaccanbe managedinaprivate,public,and/orhybridcloud.eachendusercanreceivetheirapplicationor computingservicethroughvcacwhichprovidesrolebasedentitlementsandgovernanceforthese activities vcenter LogInsight - Deliversautomatedlogmanagementthroughaggregation,analyticsand search,enablingoperationalintelligenceandenterpriseuwidevisibilityindynamichybridcloud environments. VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 47' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 48' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) ThefollowingproductmatrixexplainswhichPCIcontrolsareapplicabletoVMwareInfrastructureManagement.ItalsoexplainshowvCenterOperationsSuiteand associatedproductsmayassistinmeetingpcirequirements. Table7:ApplicabilityofPCIDSSv3.0ControlstoInfrastructureManagement PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION SegmentationPWhile technicallynota requirement, segmentationprovidesa meanstoreducethepci environmentandis stronglyrecommended. N/A vcocanbeusedtoautomateandenforcestandardizedrules,accounts,profiles,andsecuritysettingsin orderthatscopeisnotimpactedasnewmachinesaredynamicallyaddedorremoved.specifically,vco canbeusedtoconfigurenewvirtualcomponentstocommunicateonlywithintheenvironmentinwhich theywereintended.vcocanreducethemanualconfigurationprocessesthatarepronetousererrorand misconfigurationinalarge,dynamicenvironment. Requirement1:Install andmaintainafirewall configurationtoprotect cardholderdata 1.1.1.a,1.1.1.b, 1.1.1.c,1.1.2.a, 1.1.2.b,1.1.3,1.4.b, 1.1.5.a,1.1.5.b, 1.1.6.a,1.1.6.b, 1.1.6.c,1.2.1.c,1.3.2, 1.3.3,1.3.4,1.3.5, 1.3.7,1.3.8.b vcenteroperationsmanagersuitecomponentscanfacilitateappropriatemanagementofanumberof controlsrelatedtobuildingandmaintainingasecurenetwork. vcopshasafirewallenabledtopreventexternalattemptstoportprobe.thevappwillexpose minimalnetworkfootprintwithjusttheseportsforinboundconnections: 443(https) 22(ssh) 80(redirectedto443) Additionally,anOpenVPNtunneliscreatedbetweenthetwovirtualmachineswithport1194 beingused. vcocanassistwithautomationofmanymanualprocessesthatarepronetohumanerrorinatraditional hardwarebasedenvironment,therebyensuringthateverychangetothecdeisenforcedthroughprep approvedtemplates,workflows,andadministrators. vcenterinfrastructurenavigatorprovidesamorecomprehensivenetworkmapofapplicationlayers utilizedwithcdeworkloadsincludingwhichnetworks(tcp,ipandprotocols)areusedincommunicating onthevirtualnetwork.thesetranslatedirectlyintovcloudnetworkingandsecurity,nsxorthirdparty firewallrulesforcdeapplications.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 49' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement2:Donot usevendorpsupplied defaultsforsystem passwordsandother securityparameters 2.1.a,2.1.b,2.1.c, 2.1.1.b,2.1.1.c, 2.1.1.d,2.1.1.e,2.2.a, 2.2.b,2.2.c,2.2.d, 2.2.1.b,2.2.2.a, 2.2.2.b,2.2.3,2.2.4.b, 2.2.4.c,2.2.5.a, 2.2.5.b,2.2.5.c,2.3.a, 2.3.b,2.3.c,2.3.d,2.4, 2.6 Securityhardeningandtheenforcementofconfigurationstandardsaredifficultinanyenvironmentand havehistoricallyreliedonmanualprocesses.thevcopssuitehastheabilitytoassessbothphysicaland virtualmachinesinthecdeandreporttheircompliancewithavarietyofconfigurationconcerns.vcops hastheabilitytoconsistentlycheckthecompliancestatusofmachineswithintheenvironmentcriticalfor theconfigurationmanagementandhardeningofsystems.itemssuchasdefaultsystemsettings,system securityhardeningand'baselining',unpprovisionandunapprovedsoftwareorservices,andreport unnecessaryfunctionsfromsystems.vcopsallowsthecustomertocustomizeanynumberofcompliance templatescreatedtomeetregulatoryandbestpracticesstandardsincluding,butnotlimitedtocis,isop 27001/27002,SANSandNIST.Thisfunctionwillallowforthesimplebaselineofstandardsandsecurity configuration. vcopsvcloudconnectorallowsimportofallmetadataandperformancedataallowingforassociationof vsphereresourceswiththevcloudconsumptionlayer.thisfacilitatesamorecleardefinitionofscope whenmanagingvirtualmachinesfromthevclouddirectorlayerwhereboundarieswithinthecosumed vsphereenvironmentmaychangeovertime. vcopsencryptsuserpasswordsusingtheblowfishencryptionprotocol.notehowever,thatvcopsdoes notenforceastrengthpofppasswordpolicy,oralockoutpolicyforfailedloginattempts.bestpracticeisto integratevcopswithyourexistingldaporactivedirectory. vcloudautomationcentercanautomatetheendptopenddeliveryandmanagementofinfrastructureand applicationservicesleveragingexistinginfrastructure,tools,andprocess.thiscouldallowvcacto maintainthesameconfigurationsthroughthedeploymentofthevariousapplicationsandinfrastructure. Requirement3:Protect storedcardholderdata N/A N/A Requirement4:Encrypt transmissionofcardholder dataacrossopen,public networks 4.1.a,4.1.b,4.1.c, 4.1.d,4.1.e,4.1.f,4.1.g vcopsusestheblowfishencryptionprotocoltosecureallinternaluseraccountsandexternal accounts.forexample,alloftheusercredentialsenteredintovcopsandusedtocommunicate withmonitoringtoolsareencryptedwiththisprotocol. vcopssupportstheuseofsslcommunicationforbrowserptopservercommunications.theuse ofsslforbrowserptopservercommunicationisconfigurable. Requirement5:Protect allsystemsagainst malwareandregularly updateantipvirussoftware orprograms 5.1,5.1.1.,5.2.a,5.2.b, 5.2.c,5.2.d vcopsdoesnothaveabuiltinantipvirussolution,butitcanbeusedtoassesandreporttheantipvirus stateofthesystems.thisallowsadeterminationthatallsystemshaveantipvirussoftwareinstalledand runningwiththeupdatedsignaturefiles.vcopscanremediateantipvirusproblemsbyinstallingthe customerapprovedantipvirussoftwareonsystemswhereitisnotinstalledstarting/enablingthesoftware services.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 50' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement6:Develop andmaintainsecure systemsandapplications 6.1.a,6.1.b,6.2.a, 6.2.b,6.4.5.a,6.4.5.1, 6.4.5.2,6.4.5.3.a, 6.4.5.4 vcopswithvcmisabletoassess,download,anddeploypatchestowindows,unix,linux,andmac operatingsystems.assessmentsarecustomizableandcanbesettoverifycriticalpatchesinthepast30 days. ChangeswithinthevirtualenvironmentarecapturedbyvCOps.Eachchangemadetotheconfiguration settingsisdocumentedandlogged.ifachangeismadewithouttheproperapprovalitisalertedwitha simplerollbackprocedureandthechangeisreversed.vcopsareabletotrackchangesbothmade throughthestandardchangeprocessoroutofbandchangesconducteddirectlyonthevmsorthrough anothertool. vumprovidesacentralizedsolutiondesignedtoconfirmthatallsystemcomponentsarepatchedand runningonthemostrecentversions.patchescanbemanuallydeployedorautomaticallypushedout throughacombinationofvumandvco. PatchesforthevCloudNetworkingandSecuritySuiteofproductscanbeautomaticallydetectedthrough thevspherearchitectureusingvum.thesepatchesarepushedtovirtualcomponentstoconfirmthat vcloudnetworkingandsecuritycomponentsarerunningonthelatestversions. Requirement7:Restrict accesstocardholderdata bybusinessneedtoknow 7.1,7.1.1,7.1.2.a, 7.1.2.b,7.1.3,7.1.4, 7.2.1,7.2.2,7.2.3 AccesstovCOpscanbecontrolledthroughMicrosoftActiveDirectory.ThiswillallowvCOpstohelpthe usermeetthepcirequirementsforaccesscontroltothecde. vcaccanbedeployedtoendpusersandcustomersbasedonspecificrequeststhathavebeenapproved basedonorganizationwideitpoliciesandbusinessneeds.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 51' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement8:Identify andauthenticateaccess tosystemcomponents 8.1.a,8.1.1,8.1.2, 8.1.3.a,8.1.4,8.1.5.a, 8.1.5.b,8.1.6.a,8.1.7, 8.1.8,8.2,8.2.1.a, 8.2.1.b,8.2.1.c, 8.2.1.e,8.2.3.a, 8.2.3.b,8.2.4.a, 8.2.4.b,8.2.5.a,8.2.6, 8.5.a,8.5.b,8.6.a, 8.6.c vcopshastheabilitytomonitoraccesscontrolstothecdeandtherebymonitorcompliancewithpci DSSrequirements.Specifically,vCOpswillassessandreportonthefollowing: ' LocalanddomainPlevelusers(Windows)anduserswithuniqueusernames(UNIX,Linuxand MACOS). ' Systempasswordpoliciesforexpiration,length,standards,creationsettings,accessattempts, (canalsoremediate) ' Changestouseraccounts,credentialstores,andidentifierobjectstoprovidevisibilityand controloversystemaccess ' Useraccessacrossallthesystemsinthedatacenteratonce ' Disableandremoveaccessforterminateduseraccounts ' Inactiveaccounts(whichitcanalsodisableandremoveaccessfortheseuseraccounts) ' Thestatusofmaintenanceaccountsandtoconfirmthattheyaredisabledandconfiguredtoonly beusedduringthetimesspecified. ' Loginpolicies,toincludelockoutsettingsandautoPlogoutsettings,andremediatingasneeded. Assessment,reportingandremediationareconductedinaccordancewithschedulingthroughvCOps. WhenusingvCACtodeployvariousapplicationsandinfrastructurethereisanabilitytoenforcepassword requirementstomeetthebusinessneedsandadheretoitpolicy. Requirement9:Restrict physicalaccessto cardholderdata N/A N/A Requirement10:Track andmonitorallaccessto networkresourcesand cardholderdata 10.1,10.2.1,10.2.2, 10.2.3,10.2.4, 10.2.5.a,10.2.5.b, 10.2.5.c,10.2.6, 10.2.7,10.3.1,10.3.2, 10.3.3,10.3.4,10.3.5, 10.3.6,10.4,10.4.1.a, 10.4.1.b,10.4.2.a, 10.4.2.b,10.4.3, 10.5.1,10.5.2,10.5.3, 10.5.4,10.5.5,10.7.a, 10.7.b,10.7.c vcopswillassess,reportandremediatethefollowing: ' Configurationsofthesystemauditingandloggingservicestosupportproperloggingacross systemcomponents. ' vcmcollectsauditlogentriestoprovideasingleviewofevents. ' NTPsettingsandconfigurationdetails. ' Useraccessaudittrailsbyensuringproperpermissionsforlogfilesandtheirdirectoriesand alertonchangestocriticalaudittrails. vcopshastheabilitytotracksystemchangesacrossthousandsofdatapointsand,inconjunctionwith nativeauditing,canbeusedtotrackaccountactivityandsystemmodifications. vcopscanassessandreportonsyslogconfigurationdetailsonunixandlinuxsystemsthatspecify remotelogserverswithinthenetwork. vcenterloginsightcanperformcentralizedcollectionofallsyslogdatageneratedbyvmwaresddc components Requirement11: Regularlytestsecurity systemsandprocesses. 11.5.a,11.5.b vcopscanperformfileintegritymonitoring(fim)withinthecdeforcriticalfilesand/ordirectories.alerts canalsobeestablishedtoalertpersonnelofanychangesmadeorattemptedandevenremediateas needed.thisabilityallowsvcopstoenabletheusertomeetthepcidssrequirementsforfim.

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT Requirement12: Maintainapolicythat addressesinformation securityforallpersonnel. RequirementA.1:Shared hostingprovidersmust protectthecardholder dataenvironment. CONTROLS ADDRESSED N/A. A.1.1,A.1.2.c,A.1.3 DESCRIPTION N/A. vcopswillassess,reportandremediatethefollowing: ' Configurationsofthesystemauditingandloggingservicestosupportproperloggingacross systemcomponents. ' vcmcollectsauditlogentriestoprovideasingleviewofevents. ' NTPsettingsandconfigurationdetails. ' Useraccessaudittrailsbyprovidingproperpermissionsforlogfilesandtheirdirectoriesand alertonchangestocriticalaudittrails. vcopshastheabilitytotracksystemchangesacrossthousandsofdatapointsand,inconjunctionwith nativeauditing,canbeusedtotrackaccountactivityandsystemmodifications. vcopscanassessandreportonsyslogconfigurationdetailsonunixandlinuxsystemsthatspecify remotelogserverswithinthenetwork. VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 52' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 53' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) End'User'Computing' EndUserComputingisaboutservingtheenterprisedesktopexperiencefromCloudInfrastructure.Forregulationssuchas PCIthisservesanumberofpurposes:1)Onewayforustocontrolaccessprovidedtoprivilegedusersatknownpoints withappropriatemonitoringandtoolstoexecuteataskorientedtotheirjobfunctionq2)forbusinessusersitisameansto servebusinessapplicationscontainingpanandothersensitiveinformationoverasecureconnectionthatlimitsthe exposureofthedataitselfbeyondthescopeofthedatacentersincethosenumbersonlyleaveaspixelsinaremote displayprotocolq3)similartoadministrativeusers,wecancontrolthemakeupofthedesktopitselfincludingsandboxingof userspaceforstreamedapplications,dataandregistrythatcanbe"reucomposed"ontoknowngoodbaselinesmaintained throughaplannedpatchingregimenqand4)businessuserscanleveragethisfullyfunctionaldesktopsessionfroma varietyofdevicesincludingmobilewhilealsogainingaccesstosharedfileswithrolebasedaccesscontrolgovernedby enterpriseidentitystores.utilizingthevmwareendusercomputingproductscanprovideanumberoftechniquesto governaccessandusageofpcisensitiveapplicationswhilereducingoverallcostsofrefreshingandcontrollingdesktops historicallyusedinthistypeofdataprocessing. VMwareViewManager(a.k.a.ViewAdministrator) ViewManagerisawebUbasedapplicationthatisinstalledwhenyouinstallViewConnectionServer.Itis themanagementinterfaceforviewconnectionserver.administratorsuseviewadministratorto configuretheviewconnectionserver,todeployandmanagedesktops,tocontroluserauthentication,to initiateandexaminesystemevents,andtocarryoutanalyticalactivities.viewadministratorisalsoused tomanagesecurityserversandtheviewtransferserverinstancesassociatedwithviewconnection Server. VMwareViewPersonaManagement ViewPersonaManagementprovidespersistent,dynamicuserprofilesacrossusersessionsondifferent desktops.theuserprofiledataisdownloadedasneededtospeeduploginandlogouttime,andnew usersettingsaresentuptotheuserprofilerepositoryautomaticallyduringdesktopuse. VMwareComposer VMwareViewComposerletscustomerseasilymanagepoolsof like desktopsbycreatinggoldmaster imagesthatshareacommonvirtualdisk.allcloneddesktopslinkedtoamasterimagecanbepatched orupdatedthroughvmwareviewmanagerbysimplyupdatingthesinglemasterimage,withoutaffecting users settings,dataorapplications. VMwareViewClient ViewClientenablesaccesstocentrallyhostvirtualdesktopsfromWindowsPCs,Macs,thinclients,zero clients,ipads,andandroidubasedclients.viewclientwithlocalmodeallowsaccesstovirtualdesktops runningonalocalwindowsbasedendpointregardlessofnetworkavailability. HorizonWorkspace HorizonWorkspaceprovidesasingleworkspaceforfiles,applicationsanddesktops,foruserstoeasily accesswidelydispersedinformationonanydevice.workspacealsoenablesittomanagealargesetof applicationsanddevicesinacentralizedwayutilizingenterpriseldapgroupmembershipfor entitlementsandaccesstosharedfilesandfolders..

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 54' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) ThefollowingproductmatrixexplainswhichPCIcontrolsareapplicabletoVMwareEndUserComputing.ItalsoexplainshowVMwareHorizonSuiteand associatedproductsmayassistinmeetingpcirequirements. Table8:ApplicabilityofPCIDSSv3.0ControlstoNetworkingandSecurityVirtualization PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION SegmentationRWhile technicallynota requirement, segmentationprovidesa meanstoreducethepci environmentandis stronglyrecommended. N/A VMwareViewassistsbytakingthecomputingendpointsoutofscopetoacertainextentbyminimizing transmissionofactualprotecteddataexceptintheformofdisplayprotocol.whenconfiguredcorrectly, nodatawillbesavedonthehardwareofthedeviceandcanbeusedtoreducethescopeandimpactof virtualterminals.theprotocolfordeliveringviewsessions,pcoip,hasipsecforpointtopoint Encryption(P2PE),givingViewthepotentialtocompletelyremovethevirtualterminalPCfromscope. Requirement1:Installand maintainafirewall configurationtoprotect cardholderdata. 1.1.2.a,1.1.2.b,1.1.3 VMwareViewprovidesitsownSecurityServer,anHTTPSproxy,whichlivestypicallyinaDMZand brokersconnectionoftheclienttothedisplayprotocoldriverinthevirtualmachine.thesecurityserver usesadefaultdenypolicyandmustbeexplicitlyconfiguredtoconnectwithaconnectionservertoallow externaltraffictoreachtheinternalnetwork. Inaddition,vCloudNetworkingandSecurityEdgeGatewaycanbeutilizedtosegmenttheViewnetwork fromtheexternalnetwork. Requirement2:Donot usevendorrsupplied defaultsforsystem passwordsandother securityparameters. 2.2.a,2.2.b,2.2.c, 2.2.d,2.2.2.a,2.2.2.b, 2.2.3,2.2.4.b,2.2.4.c, 2.2.5.a,2.2.5.b, 2.2.5.c,2.3.a,2.3.b, 2.3.c,2.3.d,2.6 VMwareViewreliesentirelyonActiveDirectorycredentialsandstoreslinksasforeignsecurityprincipals initsownldap(adlds).thesecanbemanagedwithaonerwaytrusttoanenterpriseadldsforthe managementoftheseforeignsecurityprincipals. Requirement3:Protect storedcardholderdata. 3.1.a,3.1.c,3.2.a, 3.2.b,3.2.1,3.2.3, 3.3.a,3.3.b,3.3.c, 3.4.a,3.4.b,3.4.d SinceVMwareViewdisplaysdataaspixelsandreliesonvSphereandotherVMwareinfrastructurefor storingdesktoposimagesitwoulddefertothosecapabilitiestomeetthatrequirement.whilevmware Viewhasan OfflineMode capabilitythatwouldrequiresomewholediskencryptionandothercontrols thiswouldnotbeutilizedforinapcicompliantenvironment. Requirement4:Encrypt transmissionofcardholder dataacrossopen,public networks. 4.1.a,4.1.b,4.1.c, 4.1.d VMwareViewusesPCoIPforsoftwareandhardware( zero clients)thatnativelyuseanencrypted protocol.pcoipcompresses,encrypted,andencodeddataandprovidesa pixelsonly viewfortheend user.

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 55' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement5:Protectall systemsagainstmalware andregularlyupdateantir virussoftwareorprograms 5.1,5.1.1,5.2.a,5.2.b, 5.2.c,5.2.d,5.3.a, 5.3.b,5.3.c ViewreliesuponvShieldEndpointdesignedtoworkwithViewforprotection/remediation.vShield EndpointisthesolutiontotheproblemsinherentinantivirusscanninginalargeRscalevirtualdesktop implementation.inavmwareviewenvironment,vshieldendpointconsolidatesandoffloadstwoantivirus operationsintoonecentralizedvirtualappliance: Checkingforvirussignatureupdatefiles Antivirusscanning VMwarehaspartneredwithantivirussoftwarevendorstoprovidethisbundledsolutiontoantivirus problemsinthevdienvironment.vmwarepartnerssupplyadedicated,securevirtualappliance.this virtualapplianceintegrateswithvshieldendpointapistoprotectvmwarevirtualdesktopsagainstviruses andothermalware.insteadofinstallingantivirusagentsoneachvirtualdesktop,youcanconnectone virtualappliancetoeachvirtualmachinehost. Requirement6:Develop andmaintainsecure systemsandapplications. 6.1.a,6.1.b ViewreliesuponassociatedVMwareproductsseparatefromtheViewSuiteforsecurityupdates. VMwareUpdateManager(vUM)isutilizedforallVMwarecomponentsandShavlikforguestVMs. Requirement7:Restrict accesstocardholderdata bybusinessneedtoknow. 7.1,7.1.1,7.1.2.a, 7.1.2.b,7.1.3,7.1.4, 7.2.1,7.2.2,7.2.3 Viewintegrateswiththirdpartysoftware(MicrosoftActiveDirectory)toproviderolebasedaccesscontrol thatisdesignedtomeetpcidssrequirements.additionally,viewmayenabletworfactorauthentication tohelptheusermeettherequirementsforremoteaccesstotheviewenvironment. HorizonWorkspaceprovidesActiveDirectorybasedRBACforsharingfileswithinanorganization. Requirement8:Identify andauthenticateaccess tosystemcomponents 8.1.a,8.1.1,8.1.2, 8.1.3.a,8.1.4,8.1.5.a, 8.1.5.b,8.1.6.a,8.1.7, 8.1.8,8.2,8.2.1.a, 8.2.1.b,8.2.1.c, 8.2.1.e,8.2.3.a, 8.2.4.a,8.2.4.b, 8.2.5.a,8.2.6,8.5.a, 8.5.b,8.6.a,8.6.c ViewintegrateswithMicrosoftActiveDirectorytoproviderolebasedaccesscontrol.Additionally,View mayenablersasecureidconnectionsfortworfactorauthentication. Requirement9:Restrict physicalaccessto cardholderdata. N/A N/A

VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 56' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) PCIDSSV3.0APPLICABILITYMATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement10:Track andmonitorallaccessto networkresourcesand cardholderdata. 10.1,10.2.1,10.2.2, 10.2.3,10.2.4, 10.2.5.a,10.2.5.b, 10.2.5.c,10.2.6, 10.2.7,10.3.1,10.3.2, 10.3.3,10.3.4,10.3.5, 10.3.6,10.4,10.4.1.a, 10.4.1.b,10.4.2.a, 10.4.2.b,10.4.3, 10.5.1,10.5.2,10.5.3, 10.5.4,10.5.5,10.7.a, 10.7.b,10.7.c ViewallowsloggingtobecapturedinaccordancewithPCIDSSrequirementswiththirdpartyproducts. StructuredtextlogsandotherloggingfromsupportingapplicationsMicrosoftActiveDirectory,ADLDS andsqlservercanallbeutilizedtomeetthecontrolrequirements. Requirement11: Regularlytestsecurity systemsandprocesses. N/A N/A Requirement12:Maintain apolicythataddresses informationsecurityforall personnel. 12.2 Viewcanbeusedtoautomateandenforcedailyoperationalsecurityprocedures. RequirementA.1:Shared hostingprovidersmust protectthecardholder dataenvironment. A.1.1,A.1.2.b,A.1.2.c, A.1.2.e ViewallowsloggingtobecapturedinaccordancewithPCIDSSrequirementswiththirdpartyproducts. StructuredtextlogsandotherloggingfromsupportingapplicationsMicrosoftActiveDirectory,ADLDS andsqlservercanallbeutilizedtoassistinmeetingthecontrolrequirements. $

VMwareProductApplicabilityGuideforPaymentCardIndustry(PCI) Summary CloudcomputingandthreatstosensitivedatasuchasthatcoveredbythePaymentCardIndustryundertheirData SecurityStandardsarebothevolving.ThebenefitsandmaturityofcloudcomputingledbyVMwareandtheSoftware DefinedDataCenterhaveledVMware'scustomersandpartnerstohostmostandapproachingalloftheenterprise applicationsonthisplatform.toanswerthatneedvmware,itstechnologyandauditpartnershavedeliveredasetof documentationpertinenttomainstreamregulationssuchaspcidssversion3.0.internalizingtheinformationinthis documentisthefirststepinunderstandingwhichvmwareproductscanbeleveragedalongwithwhichfeaturesand capabilitiesmustbeconsidered.thisalsoprovidestheformatwithwhichvmwaretechnologypartnerswillpublish ApplicabilityGuidesoftheirownfurthercompletingthepictureoftotalcontrolsaddressed.VMwareandselectTechnology PartnerswillcoQauthorArchitectureDesignGuideshighlightingtheproductsassertedas'Applicable'inthisGuideand providingfurtherguidanceonhowtodesign,configureandoperatetheseproductstomitigaterisks.asafinalstep VMware'sauditpartnerswillvalidateanenvironmentbuiltontheseproductsandarchitecturaldesignconceptstohelp easetheburdenofqsaaudits. Acknowledgements: VMwarewouldliketorecognizetheeffortsoftheVMwareComplianceGTMteam,VMwareCenterforPolicy& Compliance,VMwarePartnerAlliances,thenumerousVMwareteamsthatcontributedtothispaperandtothe establishmentofthevmwarecomplianceprogram.vmwarewouldalsoliketorecognizethecoalfiresystemsinc. VMwareTeamwww.coalfire.com/Partners/VMwarefortheirindustryguidance.Coalfire,aleadingPCIQSAfirm,provided PCIguidanceandcontrolinterpretationalignedtoPCIDSSv.3.0andtheReferenceArchitecturedescribedherein. Ifyouhaveanycommentsregardingthiswhitepaper,wewelcomeanyfeedbackatvmware@coalfire.comor compliance:solutions@vmware.com. The$information$provided$by$Coalfire$Systems$and$contained$in$this$document$is$for$educational$and$informational$ purposes$only.$coalfire$systems$makes$no$claims,$promises$or$guarantees$about$the$accuracy,$completeness,$or$ adequacy$of$the$information$contained$herein.$ AboutCoalfire $CoalfireSystemsisaleading,independentinformationtechnologyGovernance,RiskandCompliance(ITGRC)firmthat providesitaudit,riskassessmentandcompliancemanagementsolutions.foundedin2001,coalfire hasofficesin Dallas,Denver,LosAngeles,NewYork,SanFrancisco,SeattleandWashington,D.C.,andcompletesthousandsof projectsannuallyinretail,financialservices,healthcare,governmentandutilities.coalfire hasdevelopedanew generationofcloudqbaseditgrctoolsunderthenavis brandthatclientsusetoefficientlymanageitcontrolsandkeep pacewithrapidlychangingregulationsandbestpractices.coalfire ssolutionsareadaptedtorequirementsunderemerging dataprivacylegislation,thepcidss,glba,ffiec,hipaa/hitech,nerccip,sarbanesqoxleyandfisma.formore information,visitwww.coalfire.com. # # VMWARE'PRODUCT'APPLICABILITY ' GUIDE' 57' VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.