Key Takeaways
Standards are Mandatory for All Infrastructure: PCI DSS requires clear, documented configuration standards for all devices—physical and virtual—that comprise your infrastructure, including firewalls, routers, load balancers, and servers.
The Customer Owns Cloud Standards: Unless you are using a Software as a Service (SaaS) solution, the client organization (not the Cloud provider) is responsible for defining and maintaining the configuration standards for all virtual devices and software to ensure PCI compliance.
Retain Standards for Legacy Systems: To ensure continuous compliance review, organizations must retain the configuration standards used for older systems and devices, not just current versions. These standards are needed until the final device running that version is decommissioned.
The PCI DSS requires that an organization have configuration standards for devices that make up their infrastructure such as firewalls, routers, load balancers, switches and servers. That includes devices that exist virtually as well as those that exist physically.
- For virtual infrastructure such as that which is in The Cloud, an issue that we run into is that the organization is relying on the Cloud provider to have that configuration standard.
- For software as a service (SaaS), that might be the case (you would need to check your responsibility matrix), but for all other Cloud instances, it is always the responsibility of the customer to have that standard.
- As a result the assessor typically finds that the organization does not have configuration standards for virtual devices.
- This gets worse when the assessor asks for configuration standards for the hypervisor environment.
- Whether it is VMware, Xen, VM Server or Hyper-V, the PCI DSS requires a configuration standard for the software that creates the virtual environment.
- While this is covered by all Cloud providers in their PCI assessments, it is the in-house virtual environments where assessors need configuration standards. It is not unusual for assessors to find that the in-house hypervisor environment does not have a configuration standard that was followed in deploying the hypervisor.
- The next issue an assessor encounters is that there are standards, but they are only for new devices, not the older devices the organization also uses.
- It is not unusual for configuration standards to be available for the current release of Cisco IOS, Windows Server or Red Hat Enterprise Linux, but the standards for older versions are no longer stored.
- As a result, it is impossible for the assessor to determine if older versions are configured to the last configuration standard used for those versions.
- The key takeaways ahead of your PCI assessment are:
- Do not get rid of those configuration standards for older devices and systems until the last one goes out the door, and
- Make sure you have all the configuration standards for every type and version of infrastructure in use, not just current types and versions.
