Security in a Virtualized Environment for the Payment Card Industry

Merchant, banking and finance sectors achieve a high competitive advantage if they provide the highest level of cardholder data security. Virtualization is cost-efficient in terms of hardware and operational expenses due to flexibility and scalability of the infrastructure.

Virtual environments have a dynamic nature, generating previously unknown threats. The only way to achieve the required level of protection, while keeping performance high, is to leverage a solution that is specifically designed for a virtual environment. This is the key to an optimized and secure infrastructure, with a fast return on investment.

PCI DSS compliance is critical for businesses of all sizes to remain competitive in the market.
There are strong reasons for businesses to become PCI DSS compliant:

  • Reputation: Both for acquirers and payment card issuers.
  • Trust: A secure payment environment enhances a cardholders’ trust for sharing highly sensitive data.
  • Prevention: Avoid credit card fraud and data breaches.

How 5nine Cloud Security meets PCI DSS Security Standards

5nine Cloud Security is the solution to help merchants meet the majority of the PCI DSS requirements. It is a unified security and compliance solution designed to specifically address every Hyper-V security vulnerability using patent-pending technologies, eliminating the need to install additional expensive and resource-consuming security software.

PCI Compliance Requirements

There are many PCI guidelines (standards) for varying stakeholders involved in the payment industry. 5nine helps you achieve many of the PCI DSS level standards, providing a secure environment for your virtualized datacenters.

Any Microsoft Hyper-V virtual network that is protected by 5nine Cloud Security is PCI compliant. Eight of 12 PCI requirements related to a virtualized environment are met by 5nine Cloud Security’s architecture. The remaining four requirements are physical factors, so 5nine covers all of the software-based security requirements for Hyper-V.

Providing PCI DSS Compliance to Hyper-V Clouds

Below is a list of the payment card industry data security requirements (PCI DSS), along with information on how 5nine meets those requirements.

Virtual Network Security

PCI DSS Requirement 1. Install and maintain a firewall configuration to protect cardholder data.

5nine Cloud Security provides network protection with an integrated multi-tenant virtual firewall that is integrated into the Hyper-V virtual switch. This allows 5nine Cloud Security to monitor any type of virtual network traffic (internal, external and private), isolate individual VMs and security groups. Firewall rules can be tied to a specific schedule to reduce the potential attack surface.

PCI DSS Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

5nine Cloud Security supports Windows Server Active Directory (AD) to manage users and passwords for multi-tenant environments. It does not use default passwords. This reduces the chance of the default passwords being unchanged by administrators.

Cardholder Data Protection

PCI DSS Requirement 3. Protect stored cardholder data.

This requirement is a question of physical access restrictions and cannot be covered by 5nine Cloud Security.

PCI DSS Requirement 4. Encrypt transmission of cardholder data across open and public networks.

5nine Cloud Security does not encrypt traffic by itself, however it will support the transmission of encrypted traffic through its networks.

Network Vulnerability Management

PCI DSS Requirement 5. Use and regularly update antivirus software on all systems commonly affected by malware.

5nine Cloud Security runs agentless antivirus scans of the virtual machines deployed on Microsoft Hyper-V. This security level is invisible to end users, and they cannot disable AV scanning.

The unique technology allows administrators to scan VMs up to 70 times faster compared to legacy AV solutions installed inside virtual machines. 5nine Cloud Security is shipped with Bitdefender, Kaspersky or ThreatTrack engines. The 5nine platform frequently updates antivirus signatures to maximize security.

PCI DSS Requirement 6. Develop and maintain secure systems and applications.

5nine Cloud Security includes security component integrity checks. It allows administrators to isolate testing, development and production environments by leveraging the security groups, while web applications can be protected with an extra 5nine Web Application Firewall product.

Continual operations logging allows security administrators to monitor and detect unauthorized security configuration access attempts. The integrated intrusion detection system gives administrators the ability to detect application-level attacks directly on the Hyper-V virtual switch by leveraging Snort engine and signatures.

Strong Access Control

PCI DSS Requirement 7. Restrict access to cardholder data by business need-to-know.

This requirement is covered by the standard authentication methods of Windows Server and Active Directory.

PCI DSS Requirement 8. Identify and authenticate access to system components.

This requirement is covered by the standard authentication methods of Windows Server and Active Directory.

PCI DSS Requirement 9. Restrict physical access to cardholder data.

This requirement is a question of physical access restrictions, and cannot be covered by 5nine Cloud Security.

Regular Network Monitoring and Testing

PCI DSS Requirement 10. Track and monitor all access to network resources and cardholder data.

This requirement is covered by the standard access rights of Windows Server and the security events logging in 5nine Cloud Security. 5nine’s integrated network anomaly detection system discovers malicious and suspicious network activities. All operations and events are logged in an unchangeable format for future analysis. Integration with a centralized logging system gives administrators the ability to achieve the required log retention period.

PCI DSS Requirement 11. Regularly test security systems and processes.

5nine Cloud Security is constantly collecting and controlling network statistics, such as overall traffic, number of packets and packet size. Then, by leveraging the heuristics algorithm, it creates a base level of normal traffic behavior for each virtual machine, and constantly monitors deviations from that. If a deviation exceeds the sensitivity level, 5nine Cloud Security immediately notifies the administrator about a potential attack or malicious network activities. The integrated intrusion detection system is based on Snort signatures, along with the heuristics algorithm, and this allows it to successfully pass penetration tests.

Information Security Policy

PCI DSS Requirement 12. Maintain a policy that addresses information security.

This requirement is based on the company’s corporate information policy and cannot be covered by 5nine Cloud Security.