The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all types of environments that store, process, or transmit card holder data. This includes information such as personal account numbers (PANs), as well as any other information that has been defined as card holder data by the PCI DSS v3.1. Cloud computing is no exception to the PCI DSS audit process, and many of the cloud’s advantages over earlier models, such as sharing of resources, workload mobility, consolidated management plane, and so on require that adequate controls are adopted to help meet the PCI DSS audit. PCI considerations are essential for assessors to help to understand what they might need to know about an environment to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed, or transmitted in a cloud environment, PCI DSS applies to that environment, and typically involves validation of both the infrastructure and the applications running in that environment.

As an example, many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and typically those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware technology partner solutions to deliver those computing environments. As such, these customers seek ways to reduce overall IT budget while maintaining an appropriate risk posture for the in-scope environment. One of the greatest challenges in hosting the next-generation cloud computing environment is consolidating the many required modes of trust, such as those for a cardholder data environment (CDE) and a non-cardholder data environment.

For these reasons, VMware has enlisted its Audit Partners, such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and to document these capabilities in a set of reference architecture documents. The first of these documents is this Product Applicability Guide, which contains a mapping of the VMware products and features to be considered for implementing PCI DSS controls. The next two documents that, together with this guide, comprise the PCI DSS Reference Architecture are the Architecture Design Guide and the Validated Reference Architecture, which provide guidance on the considerations to be made when designing a VMware cloud environment for PCI DSS.