Meeting VMware PCI Compliance Requirements

If your organization uses virtualization technologies and handles credit cardholder data, then it is subject to Payment Card Industry Data Security Standards (PCI DSS) requirements for VMware security. But proving that your VMware environment is PCI DSS compliant is likely taking a toll on you — sleepless nights worrying you’ve missed something, days of work putting together reports, and constant stress over auditors’ tricky questions. There’s no more need to be anxious about your next PCI DSS audit, because with the right solution at your fingertips, you can streamline compliance preparation processes and produce the evidence that your VMware system security and data security controls are right there where they should be.

Diving into VMware and PCI compliance

PCI DSS 3.2 (the latest version of the data security standard) is one of the most rigorous and specific standards established to date in the payment card industry, and every organization that stores, processes or transmits cardholder data, regardless of volume, is required to comply with it. Failure to comply with PCI DSS can result in huge fines, damage to an organization’s reputation, or even business closure.

When it comes to applying the security parameters of the cardholder data security policy, a key risk factor unique to a virtual infrastructure in the payment card industry is the hypervisor — if your ESXi host is compromised or not properly configured; all virtual machines hosted on that hypervisor and information security are at risk.

Here are the PCI DSS requirements most relevant to VMware environments:

  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Ensure encryption of transmission of cardholder data across open, public networks.
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
  • Requirement 6: Develop and maintain secure systems and applications.
  • Requirement 7: Restrict access to cardholder data by business need to know.
  • Requirement 8: Identify and authenticate access to system components.
  • Requirement 9: Restrict physical access to cardholder data.
  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes.
  • Requirement 12: Maintain a policy that addresses information security for all personnel.

 

Ensuring compliance of VMware with PCI DSS with less effort and expense

It’s time to honestly answer these questions:  How sure are you that your VMware is PCI DSS compliant? Can you quickly satisfy every auditor’s inquiry with sufficient proof? Do you desperately need to optimize your compliance preparation processes?

Netwrix Auditor for VMware will revamp your compliance experience. With it at hand, you can:

  • Gain pervasive visibility into what’s going on across your VMware vSphere, vCenter Server, so you can set up appropriate controls that will secure your cardholder data.
  • Streamline your reporting processes and slash PCI DSS audit preparation time by 50% with predefined compliance reports mapped to PCI DSS. You also get reports mapped to most other common standards, including FISMA/NIST, GDPR, HIPAA and more.
  • Make compliance reporting less stressful by subscribing yourself or security officers to the reports each of you needs, or by simply saving the requested reports in a shared folder and granting access to it whenever an auditor knocks at your door.
  • Answer auditors’ questions in seconds with the Google-like interactive search.
  • Get alerts on critical activity, such as configuration changes, to ensure quick response to an emerging threat to your sensitive data and thereby mitigate the risk of compliance failures.
  • Consolidate and store your VMware audit trails for years in the cost-effective two-tiered (SQL database + file-based) storage, and access them whenever your next audit check approaches.

VMware PCI compliance report from Netwrix Auditor