Paper: Reference architecture for PCI in the cloud from VMware, Cisco, HyTrust, Savvis and Coalfire

Cisco, VMware, HyTrust, Savvis and Coalfire have released a paper titled: PCI-Compliant Cloud Reference Architecture. The paper contains 19 pages and details a reference architecture for constructing a cloud architecture meeting the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS).

PCI DDS defines a set of requirements to protect payment cardholder data, and the environments in which cardholder data is stored, processed or transmitted. The current PCI DDS standard, which is version 2.1 does not specifically address the risks associated with virtual machines and cloud computing, instead they empower PCI Qualified, Security Assessors (QSAs) and vendors to work collaboratively on providing guidelines. In the case of this specific paper, the QSA is Coalfire and the vendors are Cisco, VMware, HyTrust and Savvis.

The paper uses a case of an e-commerce merchant and details its reference architecture using the solutions from the earlier mentioned vendors.


The reference architecture consists of a type 1 hypervisor from VMware (ESX/ESXi). The VMware hosts are hardened using the HyTrust Appliance (HTA), which also assesses configuration drift, and provides auto remediation. The HTA also controls all administrative access, by providing two-factor authentication and Role Based Access Control (RBAC). Three virtual networks are provided for management, PCI and blog traffic using Cisco Nexus 1000V distributed virtual switches . Cardholder Data Environment (CDE) Virtual Machines are required to have a virtual firewall, file integrity monitoring, hardened configuration, RBAC, privileged account management, anti-virus protection, web application firewall, intrusion detection/prevention systems and logging/audit trail.

"…Multi-tenancy and mixed-mode: CDE VMs and non-CDE VMs can be co-mingled on a cluster of hypervisors as long as adequate controls are implemented and validated to ensure proper isolation. Network controls and

communication must be tested in the same or similar fashion as physical environments to demonstrate segmentation…"