Compliance VMware Cloud on AWS

Introducing PCI Compliance for VMware Cloud on AWS

Payment Card Industry (PCI) Data Security Standards (DSS) protect the safety of cardholder data by specifying both technical and operational requirements for all businesses that are involved with accepting or processing payments. All IT systems that process, store, or transmit cardholder data, including hardware and infrastructure layers, must undergo rigorous auditing to achieve PCI compliant status. Only after satisfying all PCI requirements, will an Attestation of Compliance (AOC) be given to the company.

VMware Cloud on AWS now offers PCI DSS compliant SDDCs that can drastically simplify the tasks to achieve and maintain PCI DSS compliance. VMware Cloud on AWS achieved Certified PCI DSS 3.2.1 Level 1 Service Provider status, confirmed by AOC available for download here. Running PCI DSS compliant workloads on public cloud depends on a strict concept of separation of duties. The Shared responsibility model dictates distinct responsibilities for each of the three parties involved: Customer, VMware, and AWS. It’s important to mention that according to the model and PCI DSS requirements customers are ultimately responsible for successfully achieving and maintaining PCI compliance of their workloads.

PCI DSS Shared responsibility model

PCI Compliant SDDC

VMware Cloud on AWS implementation of PCI DSS compliant SDDC is based on the shared responsibility model and includes the following high-level steps to be performed by Customers:

– Deploy a new VMware Cloud on AWS SDDC as usual on the PCI DSS enabled VMware Cloud on AWS Organization.

You will need to contact VMware to enable this feature for your Organization and use a PCI DSS enabled AWS Region for the deployment of the SDDC. The first enabled regions are US East (N. Virginia), US West (Oregon), and Europe (Ireland). We keep adding new AWS Regions to the list.

– Configure your SDDC, including network connections, firewall policies and rules, etc.

It is important that you can access the private IP range of the management subnet. For example, if vCenter server and NSX managers are deployed using network, your route configuration and firewall rules should allow access to the endpoints in this subnet.

– Migrate the applications that are in scope for PCI DSS to the SDDC.

You can deploy VMware HCX (HCX) and use it for workload migration and network extension. It is important to mention that you are required to disable HCX once you harden the SDDC for any production PCI DSS compliant workload.

– Harden your SDDC for PCI DSS compliance.

This is a new and compliance specific step in the configuration flow for your SDDC. VMware has identified selected SDDC components as being non-PCI DSS compliant. You must disable all of them before starting your PCI DSS audit. At the time of writing the list of components includes:

  • SDDC Add-Ons – VMware HCX, Site Recovery, vRealize Automation Cloud.
  • Network & Security Tab in your SDDC

Note: The list is subject to change in the future releases.

The Settings Tab in the SDDC management console includes the new Component control section providing you with the options to disable Add-ons and Networking & Security Tab.

Enabling PCI DSS Compliance for SDDC

If you enabled some of the Add-Ons before (for example, HCX to facilitate the migration) you would need to uninstall the Add-on before disabling it.

In addition to that, you need to make changes to the Networking & Security tab. To facilitate PCI DSS requirements, you need to exclusively use the local NSX Manager UI in your SDDC. The local NSX manager UI offers you the same look and feel for the networking configuration as the Networking & Security tab in your SDDC. You have access to all networking and security features just from the separate UI.

Local NSX Manager UINote: Local NSX Manager UI is only accessible via the private management subnet. Make sure to allow network access to the local NSX Manager UI before disabling the tab. Failure to configure network connectivity to the local NSX Manager correctly would prevent you from managing the networking configuration for your SDDC.

After hardening your SDDC for PCI DSS Compliant you can start preparing your applications for the audit. VMware and AWS take care of the underlying infrastructure allowing you to focus just on the workload.

To learn more about PCI Compliance on VMware Cloud on AWS, check out the resources below:

For other information related to VMware Cloud on AWS, here are some more learning resources for you: