Payment Card Industry (PCI) Data Security Standards (DSS) protect the safety of cardholder data by specifying both technical and operational requirements for all businesses that are involved with accepting or processing payments. All IT systems that process, store, or transmit cardholder data, including hardware and infrastructure layers, must undergo rigorous auditing to achieve PCI compliant status. Only after satisfying all PCI requirements, will an Attestation of Compliance (AOC) be given to the company.
VMware Cloud on AWS now offers PCI DSS compliant SDDCs that can drastically simplify the tasks to achieve and maintain PCI DSS compliance. VMware Cloud on AWS achieved Certified PCI DSS 3.2.1 Level 1 Service Provider status, confirmed by AOC available for download here. Running PCI DSS compliant workloads on public cloud depends on a strict concept of separation of duties. The Shared responsibility model dictates distinct responsibilities for each of the three parties involved: Customer, VMware, and AWS. It’s important to mention that according to the model and PCI DSS requirements customers are ultimately responsible for successfully achieving and maintaining PCI compliance of their workloads.
PCI Compliant SDDC
VMware Cloud on AWS implementation of PCI DSS compliant SDDC is based on the shared responsibility model and includes the following high-level steps to be performed by Customers:
– Deploy a new VMware Cloud on AWS SDDC as usual on the PCI DSS enabled VMware Cloud on AWS Organization.
You will need to contact VMware to enable this feature for your Organization and use a PCI DSS enabled AWS Region for the deployment of the SDDC. The first enabled regions are US East (N. Virginia), US West (Oregon), and Europe (Ireland). We keep adding new AWS Regions to the list.
– Configure your SDDC, including network connections, firewall policies and rules, etc.
It is important that you can access the private IP range of the management subnet. For example, if vCenter server and NSX managers are deployed using 10.20.0.0/16 network, your route configuration and firewall rules should allow access to the endpoints in this subnet.
– Migrate the applications that are in scope for PCI DSS to the SDDC.
You can deploy VMware HCX (HCX) and use it for workload migration and network extension. It is important to mention that you are required to disable HCX once you harden the SDDC for any production PCI DSS compliant workload.
– Harden your SDDC for PCI DSS compliance.
This is a new and compliance specific step in the configuration flow for your SDDC. VMware has identified selected SDDC components as being non-PCI DSS compliant. You must disable all of them before starting your PCI DSS audit. At the time of writing the list of components includes:
- SDDC Add-Ons – VMware HCX, Site Recovery, vRealize Automation Cloud.
- Network & Security Tab in your SDDC
Note: The list is subject to change in the future releases.
The Settings Tab in the SDDC management console includes the new Component control section providing you with the options to disable Add-ons and Networking & Security Tab.
If you enabled some of the Add-Ons before (for example, HCX to facilitate the migration) you would need to uninstall the Add-on before disabling it.
In addition to that, you need to make changes to the Networking & Security tab. To facilitate PCI DSS requirements, you need to exclusively use the local NSX Manager UI in your SDDC. The local NSX manager UI offers you the same look and feel for the networking configuration as the Networking & Security tab in your SDDC. You have access to all networking and security features just from the separate UI.
Note: Local NSX Manager UI is only accessible via the private management subnet. Make sure to allow network access to the local NSX Manager UI before disabling the tab. Failure to configure network connectivity to the local NSX Manager correctly would prevent you from managing the networking configuration for your SDDC.
After hardening your SDDC for PCI DSS Compliant you can start preparing your applications for the audit. VMware and AWS take care of the underlying infrastructure allowing you to focus just on the workload.
To learn more about PCI Compliance on VMware Cloud on AWS, check out the resources below:
- VMware Cloud on AWS Trust Center
- Migrating PCI Workloads to VMware Cloud on AWS
- Demo. Deploying PCI DSS Compliant SDDC on VMware Cloud on AWS using Local NSX Manager UI
- VMware Cloud on AWS documentation
For other information related to VMware Cloud on AWS, here are some more learning resources for you:
- You can learn more about our VMware Cloud on AWS service at the VMware Cloud on AWS website or by viewing VMware Cloud on AWS: Overview.
- Follow us on Twitter @vmwarecloudaws and give us a shout with #VMWonAWS.
- Leverage the new VMware Cloud on AWS Techzone for curated technical documentation.
- Watch informative demos, overview videos, webinars and hear from our customers: VMware Cloud on AWS on YouTube.
- Try the VMware Cloud on AWS Lightening Lab for a first-hand immersive experience.
- Read our latest VMware Cloud on AWS blogs.
- Obtain the VMware Cloud on AWS Solution Brief and VMware Cloud on AWS TCO 1-pager.
- Follow the VMware Cloud on AWS release notes, VMware Site Recovery release notes and VMware Cloud Disaster Recovery release notes on continuing updates.
- Read Technical Guides on Operations, Applications, and Performance.
- Listen to latest episodes of VMware Cloud on AWS Unplugged Podcast