VMware Exam 2V0-13.24 Topic 2 Question 3 Discussion

In VMware Cloud Foundation (VCF) 5.2, non-functional requirements define how the system operates (e.g., security, performance), not what it does. The new service must comply with PCI DSS, a standard for protecting cardholder data, and the design must reflect this. The platform is already SOX-compliant, and the question seeks an additional non-functional requirement to support PCI compliance. Let's evaluate:

Option A: The VCF platform and all PCI application virtual machines must be monitored using the Aria Operations Compliance Pack for Payment Card Industry

This is correct. PCI DSS requires continuous monitoring and auditing (e.g., Requirement 10). The Aria Operations Compliance Pack for PCI provides pre-configured dashboards, alerts, and reports tailored to PCI DSS, ensuring the VCF platform and PCI VMs meet these standards. This is a non-functional requirement (monitoring quality), leverages existing Aria Operations, and directly supports the new service's compliance needs, making it the best addition.

Option B: The VCF platform and all PCI application virtual machines must be assessed for SOX compliance

This is incorrect. The platform is already SOX-compliant, as stated. SOX (financial reporting) and PCI DSS (cardholder data) are distinct standards. Reassessing for SOX doesn't address the new service's PCI requirement and adds no value to the design for this purpose.

Option C: The VCF platform and all PCI application virtual machine network traffic must be routed via NSX

This is incorrect as a new requirement. The VI Workload Domains already use a shared NSX instance, implying NSX handles network traffic (e.g., overlay, security policies). PCI DSS requires network segmentation (Requirement 1), which NSX already supports. Adding this as a ''new'' requirement is redundant since it's an existing characteristic, not an additional need.

Option D: The VCF platform and all PCI application virtual machines must be assessed against Payment Card Industry Data Security Standard (PCI DSS) compliance

This is a strong contender but incorrect as a non-functional requirement. Assessing against PCI DSS is a process or action, not a quality of the system's operation. Non-functional requirements specify ongoing attributes (e.g., ''must be secure,'' ''must be monitored''), not one-time assessments. While PCI compliance is the goal, this option is more a project mandate than a design quality.

Conclusion:

The additional non-functional requirement to support the new PCI-compliant service is A: monitoring via the Aria Operations Compliance Pack for PCI. This ensures ongoing compliance with PCI DSS monitoring requirements, integrates with the existing VCF design, and qualifies as a non-functional attribute in VCF 5.2.

VMware Cloud Foundation 5.2 Architecture and Deployment Guide (Section: Aria Operations Compliance Packs)

VMware Aria Operations 8.10 Documentation (integrated in VCF 5.2): PCI Compliance Pack

PCI DSS 3.2.1 (Requirements 1, 10: Network Segmentation and Monitoring