WIXLIB

VMware Software-Defined Data Center(SDDC)Product Applicability Guide for PCI DSSMay 21, 2019CONFIDENTIAL: This report is confidential for thesole use of the intended recipient(s). If you arenot the intended recipient, please do not use,disclose, or distribute.VMware SDDC PCI DSSPCI DSS PAG 1

VMware SDDC PCI DSS Product Applicability GuideTable of ContentsWHITEPAPER SUBTITLE GOES HERE . 1TABLE OF CONTENTS . 2REVISION HISTORY . 3DESIGN SUBJECT MATTER EXPERTS . 3TRADEMARKS AND OTHER INTELLECTUAL PROPERTY NOTICES . 4EXECUTIVE SUMMARY . 5BACKGROUND . 5VMWARE SDDC AND PCI DSS . 5INTRODUCTION . 7WHAT IS PCI DSS V3.2.1? . 7HOW DOES PCI DSS WORK? . 7SCOPE AND APPROACH . 8OUR APPROACH . 9IN-SCOPE VMWARE PRODUCT LIST . 11OVERVIEW OF VMWARE AND PCI DSS BEST PRACTICES AND REQUIREMENT MAPPING . 14VMWARE CONTROL CAPABILITIES DETAIL . 17VMWARE ADMINISTRATIVE SUPPORT FOR PCI REQUIREMENTS . 18VMWARE CORE SUPPORT FOR PCI REQUIREMENTS. 18CONCLUSION . 41BIBLIOGRAPHY . 42APPENDIX A: PCI DSS 3.2.1 CONTROL MAPPING . 43APPENDIX B: SDDC PRODUCT CAPABILITY RELATIONSHIP WITH PCI DSS . 44ABOUT VMWARE . 65ABOUT TEVORA . 66VMware SDDC PCI DSS PAG 2

VMware SDDC PCI DSS Product Applicability GuideRevision HistoryDateRevAuthorCommentsReviewersMay 20191.0TevoraInitial DraftVMwareDesign Subject Matter ExpertsThe following people provided key input into this whitepaper.NameEmail AddressRole/CommentsDavid Grazerdgrazer@tevora.comCo-AuthorChristina Whitingcwhiting@tevora.comCo-AuthorZachary Curleyzcurley@tevora.comCo-AuthorAnthony Dukesadukes@vmware.comTechnology SME, VMwareCarlos PhoenixJerry ance and Cybersecurity SME, VMwareDirector, Product Management, Compliance Solutions,VMwareVMware SDDC PCI DSS PAG 3

VMware SDDC PCI DSS Product Applicability GuideTrademarks and Other Intellectual Property NoticesThe VMware products and solutions discussed in this document are protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and itssubsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.Solution AreaKey ProductsSoftware-Defined ComputeVMware ESXi , VMware vCenter , VMware Cloud Foundation , VMwarevSAN , VMware vCloud Director , VMware vCloud Director Extender,VMware vCloud Usage MeterSoftware-Defined NetworkingManagement and AutomationDisaster Recovery AutomationVMware NSX VMware vRealize Network Insight , VMware vRealize Automation ,VMware vRealize Orchestrator , VMware vRealize Log Insight , VMwarevRealize Operations Manager , VMware AppDefense , VMware IdentityManager VMware Site Recovery Manager , VMware vSphere Replication , VMwarevCloud Availability for vCloud Director Disclaimer (Tevora)The opinions stated in this guide concerning the applicability of VMware products to the PCI DSS framework arethe opinions of Tevora. All readers are advised to perform individual product evaluations based on organizationalneeds.For more information about the general approach to compliance solutions, please visit VMware SolutionExchange: Compliance and Cyber Risk Solutions. This whitepaper has been reviewed and authored by Tevora’sstaff of Information Security Professionals in conjunction with VMware, Inc.Disclaimer (VMware)This document is intended to provide general guidance for organizations that are considering VMware solutionsto help them address compliance requirements. The information contained in this document is for educationaland informational purposes only. This document is not intended to provide regulatory advice and is provided “ASIS.” VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of theinformation contained herein. Organizations should engage appropriate legal, business, technical, and auditexpertise within their specific organization for review of regulatory compliance requirements.VMware SDDC PCI DSS PAG 4

VMware SDDC PCI DSS Product Applicability GuideExecutive SummaryBackgroundThis Product Applicability Guide (PAG) will provide an evaluation of VMware products that make up and supportthe Software-Defined Data Center (SDDC), and how they may support the Payment Card Industry Data SecurityStandard, v3.2.1 (PCI DSS/PCI) controls. These products virtualize and abstract the physical technology layerssuch as compute, storage, and network, the essence of an SDDC. The changing technology landscape that ismodernizing the data center is also modernizing the virtual desktop environment and mobile devicemanagement while making inroads to consolidate and automate Information Technology (IT) resources. VMwareprioritizes data protection and system security features within the SDDC. The VMware Compliance Solutionsteam developed a framework that incorporates SDDC product capabilities aligned to PCI DSS controls. Theproduct capabilities and framework of this PAG utilized NIST 800-53 as their foundational security framework tocreate a series of standards. These standards have then been used to illustrate how VMware products and theircapabilities apply to other industry frameworks such as NIST 800-171 and PCI DSS.VMware engaged Tevora, an independent third-party IT audit firm, to conduct a review of the SDDC andVMware Cloud solution’s alignment to PCI DSS. This document is the culmination of Tevora’s discussions withVMware product teams to perform a thorough evaluation of VMware product capabilities mapped to PCI DSSrequirements.Tevora is a leading security consulting firm specializing in enterprise risk, compliance, information securitysolutions, and threat research. Tevora offers a comprehensive portfolio of information security solutions andservices to clients in virtually all industries. This PAG will navigate readers through the PCI DSS standard andhighlight applicable VMware product capabilities.VMware SDDC and PCI DSSToday’s infrastructures are heterogeneous in nature, built upon collaborations between internally constructedproducts and third-party sourced components, all guided by a customer’s complex business and compliancerequirements.VMware approaches compliance with a view that understands the complexity in environments and addressesthose areas where virtualization can be leveraged to develop a more secure environment. This focused view oncompliance is reflected in the VMware Compliance Solutions framework, which allows for a wide-rangingadoption of regulatory controls.The phrase “security by design” identifies architectural decisions and default settings inside VMware productsthat are integrated into the product lifecycle. This approach reflects the process VMware follows to weave insecurity through all stages of the product lifecycle, and not as an afterthought. This overlap between productsand compliance requirements marries security and non-security product capabilities in an improved way to alsoachieve operational innovation. Due to the breadth of the NIST compliance framework, VMware selected NIST800-53 as its foundation for all future PAGs including PCI DSS and as the acknowledgment across industrystandards that have been derived from the larger NIST risk framework.VMware SDDC PCI DSS PAG 5

VMware SDDC PCI DSS Product Applicability GuideWhat is SDDC?The Software-Defined Data Center architecture creates a completely automated, highly available environmentfor any application, and any hardware. SDDC can be used in any type of cloud model, and extends the existingconcepts associated with the cloud such as abstraction, pooling, and virtualization across the cloud environment.Features of the SDDC can be deployed as a suite or can also work independently to allow for a controlleddeployment over time.What is PCI DSS?The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizationsthat handle branded credit cards from the major credit card brands. The standard was created to increasesecurity around cardholder data and protect consumers. This standard applies to any organization that stores,processes or handles cardholder data.Cardholder data can consist of several items, including: Primary Account Number (PAN) Name of the cardholder The Card’s expiration date The Card’s service codeAn individual business interaction with cardholder data will vary depending on their defined operations. Thisunderscores that there is no one-size fits all recommendation to secure a cardholder data environment (CDE).The responsibility resides with the individual business to ensure they appropriately assess what requirements fittheir environment to adequately protect cardholder data along PCI DSS standards.Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) thatcreates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by SelfAssessment Questionnaire (SAQ) for companies handling smaller volumes.As with many security standards, PCI DSS takes a variety of its intentions from NIST 800-53 as guidance fordefense in depth security within the cardholder environment.VMware SDDC PCI DSS PAG 6

VMware SDDC PCI DSS Product Applicability GuideIntroductionWhat is PCI DSS v3.2.1?PCI DSS v3.2.1 is an updated version of the PCI Data Security Standard originally developed by PCI Standards Council in2004. This version considers evolving technologies and threat vectors to consumers, merchants and other entitieswithin the transaction chain.How does PCI DSS work?The PCI DSS standard requires organizations to comply with a robust set of requirements. The criteria are brokendown into 6 objective areas and 12 requirements (listed below). Each requirement has a set of controls, thenecessary testing procedures to ensure that they are implemented appropriately with expert guidance. Build and Maintain a Secure Network and Systemso Requirement 1 (Req.1): Install and maintain a firewall configuration to protect cardholder datao Requirement 2 (Req.2): Do not use vendor-supplied defaults for system passwords and other securityparametersProtect Cardholder Datao Requirement 3 (Req.3): Protect stored cardholder datao Requirement 4 (Req.4): Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Programo Requirement 5 (Req.5): Protect all systems against malware and regularly update anti-virus software orprogramso Requirement 6 (Req.6): Develop and maintain secure systems and applicationsImplement Strong Access Control Measureso Requirement 7 (Req.7): Restrict access to cardholder data by business need to knowo Requirement 8 (Req.8): Identify and authenticate access to system componentso Requirement 9 ((Req.9): Restrict physical access to cardholder dataRegularly Monitor and Test Networkso Requirement 10 (Req.10): Track and monitor all access to network resources and cardholder datao Requirement 11 (Req.11): Regularly test security systems and processes.Maintain an Information Security Policyo Requirement 12 (Req.12): Maintain a policy that addresses information security for all personnel.The scope of the PCI environment varies from organization to organization. VMware products help enforcecontrols configured by each client based on their individual environment. Organizations need to define the scopeof their cardholder environment and controls.VMware SDDC PCI DSS PAG 7