VMware PCI DSS 3.2.1 Product Applicability Guide


This Product Applicability Guide (PAG) will provide an evaluation of VMware products that make up and support the Software-Defined Data Center (SDDC), and how they may support the Payment Card Industry Data Security Standard, v3.2.1 (PCI DSS/PCI) controls. These products virtualize and abstract the physical technology layers such as compute, storage, and network, the essence of an SDDC. The changing technology landscape that is modernizing the data center is also modernizing the virtual desktop environment and mobile device management while making inroads to consolidate and automate Information Technology (IT) resources. VMware prioritizes data protection and system security features within the SDDC.

The VMware Compliance Solutions team developed a framework that incorporates SDDC product capabilities aligned to PCI DSS controls. The product capabilities and framework of this PAG used NIST 800-53 as their foundational security framework to create a series of standards. These standards have then been used to illustrate how VMware products and their capabilities apply to other industry frameworks such as NIST 800-171 and PCI DSS.

VMware engaged Tevora, an independent third-party IT audit firm, to conduct a review of the SDDC and VMware Cloud™ solution’s alignment to PCI DSS. This document is the culmination of Tevora’s discussions with VMware product teams to perform a thorough evaluation of VMware product capabilities mapped to PCI DSS requirements.

This guidance evolves. Please check back for the the latest versions.


This Product Applicability Guide is available as a download:



Filter Tags

Compliance Cloud Foundation Cloud Foundation 4 Document Best Practice Intermediate