Local PCI Control Mode

All the virtual machines (VMs) in the CDE are being deployed on a dedicated set of hardware segmented from non-CDE systems. Ensure that the following Zerto components are included on this dedicated hardware and that the relevant PCI controls are implemented:

Zerto Virtual Manager (ZVM): The ZVM is a Windows service that manages everything required for the replication between the protection and recovery sites, except for the actual replication of data. The ZVM must be deployed on a VM running on the dedicated hardware. Access to the ZVM requires access to the Windows machine running this service. This access relies on the authentication, authorization, and security mechanisms provided by Microsoft. All communication between Zerto Virtual Managers and hypervisor management tools, such as VMware vCenter Server or Microsoft SCVMM, is secure, either via HTTPS or SSH.

Zerto Virtual Replication Appliances (VRAs): VRAs are virtual machines installed on each host with virtual machines to be protected or recovered. They manage the replication of data from protected virtual machines to the recovery site. The VRAs are deployed on hosts running on the dedicated hardware and thus comply with the same PCI controls as the hosts. The VRAs are hardened virtual appliances and must be deployed according to Zerto's hardening and security guidelines.

Virtual Backup Appliance (VBA): A Windows service that manages File Level Recovery operations within Zerto Virtual Replication.

Zerto Diagnostics utility: The Zerto Diagnostics utility can collect logs from Zerto components as well as hosts and hypervisor management tools, such as VMware vCenter Server or Microsoft SCVMM, where either VRAs or ZVMs run. As such the Zerto Diagnostics utility must be compliant with section 10 of the PCI DSS that defines logging requirements. PCI compliance is fulfilled since the Zerto Diagnostics utility does not collect any data that originated from VMs in the CDE. Zerto recommends that access to the logs produced by the utility is safeguarded by storing the logs safely, for example, on the machine hosting the ZVM.

Zerto APIs and PowerShell cmdlets: Both Zerto APIs and PowerShell cmdlets are run by the ZVM and therefore have the same level of protection as the ZVM.

VMs protected by Zerto must be recoverable to hosts on the recovery site that are also deployed on dedicated hardware with the relevant PCI controls implemented. All Zerto components (ZVM, VRAs, etc.) on the recovery site must be deployed with the relevant PCI controls implemented.