PCI Compliance: Who Manages What?

Nathan Hatch is President and CEO of C7 Data Centers, a privately held company focused on providing high-value data center solutions for colocation, disaster recovery, data backup and virtualization.

NATHAN HATCH
C7 Data Centers

Potential data center customers often ask data center operators if they are “PCI Compliant.” There has been some confusion surrounding the answer to this question. Data center providers normally do not have anything to do with their customer’s sensitive information handling procedures. To clarify and answer the PCI question, let’s discuss the responsibilities of the data center and the responsibilities of the merchant or service provider (data center customer).

What exactly is PCI compliance?

PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the policies and procedures that your business handles information to the PCI DSS standard.

For a company (service provider or merchant) that is hosted in a data center to be PCI Compliant, it must restrict its information handling procedures to the PCI DSS requirements, and have an attestation of that compliance.

These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS)page on the PCI Security Standards Council website.

The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which self-assessment questionnaire (SAQ) is appropriate for your company.

A data center provides facilities for companies and merchants to house servers as they conduct their business. In that capacity, the data center provider has specific responsibilities that must follow PCI Compliance. A merchant or company that is located within a PCI Compliant data center is not automatically PCI Compliant. Each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance, detailing their sensitive information procedures as they follow the PCI standard.

Data centers are required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ. As an example let’s look at a sample of the PCI requirements.

In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:

“The questions for Requirements 9.1-9.4 only need to be answered for facilities with ’sensitive areas’ as defined here. ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”

The following questions are the specific listed Requirements 9.1-9.4 for data centers:

• 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
• 9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
• 9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?
• 9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?
  9.1.2 Is physical access to publicly accessible network jacks restricted?
• 9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
• 9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
• 9.3 Are all visitors handled as follows:
• 9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
• 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
• 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
• 9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?
• 9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
• 9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?

The responsibilities for merchants and companies that process sensitive information and that are located in a data center, per the SAQ Validation, are summarized as follows:

Build and Maintain a Secure Network
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
A. Protect stored cardholder data
B. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
A. Use and regularly update anti-virus software of programs
B. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
A. Restrict access to cardholder data by business need-to-know
B. Assign a unique ID to each person with computer access
C. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes

Maintain an Information Security Policy
A. Maintain a policy that addresses information security for employees and contractors

Additional PCI DSS Requirements for Shared Hosting Providers

A. Shared hosting providers must protect cardholder data environment

Working with each customer data center providers can ensure a safe, compliant and successful hosting experience. Knowing and understanding what PCI compliance is and who is responsible for which parts will lead to even more success for all involved in the process.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating in Industry Perspectives.

PCI Compliant Web Hosting

There’s a set of “requirements” called Payment Card Industry Data Security Standards (PCI DSS) that was developed by the PCISSC  Payment Card Industry Security Standards Council.
I first heard of these “requirements” in the bar on the last day at Pubcon Vegas 2008, where someone said “Trust me, you’d BETTER learn about it, because they’ll make your life miserable if you don’t…”, and they were sure right.
In 2009 one of my long time consulting clients actually began GETTING FINED by their processor for not being PCI compliant.
At first the fine was about $40 monthly, but that quickly mushroomed, and all of a sudden, they were told that it was several hundred dollars a month.
We changed shopping carts, then worked with the web host, and all was finally resolved, but it took four months and several thousand dollars. Can you afford that unexpectedly?
Before you ask “who has the authority to fine them?” you should know that in their case it was called a “fee” and not a “fine” and it was imposed by their middleman transaction processor, not Authorize.net or their bank.
The official “power” to impose that fee is actually non-existent and totally arbitrary, sort of like blockbuster charging a late fee – because they can.
Get On Top of PCI Compliance NOW
It likely won’t be long before EVERYONE that will process the credit card you take on your website will have to decline your business transactions, and this will put you out of business.
This simply designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions. – i.e. it’s for our own good.
Yes it’s going to be a pain in the ass to get compliant, but it’s not nearly as bad as trying to recover fraudulent funds that get their transactions reversed after you have shipped or delivered your product, is it?
Worse, will it be as bad as finding out that not only are you being charged a “fee” but in fact, your bank will no longer accept your transactions?
All you have to do is check your site with a vulnerability scanner for PCI Compliance. There are a number of them out there, and your bank should offer one to you soon, if they haven’t already.
In some situations, you may find the need to move to web hosting platform that is claiming compliance that is willing to offer a statement about their compliance, and here’s our statement…

Point-to-Point Encryption – Sound Familiar?

Point-to-Point Encryption – Sound Familiar?
We have highlighted a number of technologies in this blog that help achieve PCI compliance. The latest technology that should be in your IT security team’s bag of tricks is point-to-point encryption (P2PE).?
This new technology may sound strangely familiar. And it should. Does end-to-end encryption ring a bell? In early October 2010, the PCI Security Standards Council announced a new moniker for end-to-end encryption, switching the language to point-to-point encryption, with the hope of offering guidance with the new name to clarify this technology.?
The new point-to-point encryption naming concept also came with a new roadmap designed for merchants, acquirers, processors, vendors and QSAs. The new roadmap offers guidance on what businesses should look for when purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database. (However, P2PE is not designed to address card data storage. For those merchants that require storing sensitive data, tokenization is a good solution, where card data is returned in the form of tokens rather than the actual data.)?
P2PE, properly implemented, should reduce a merchant’s PCI scope. Once the card is swiped, the data is encrypted, and remains so until it reaches its destination. Decryption cannot be possible between encryption and the final destination because only the P2PE provider will be able to decrypt the data. This makes the P2PE technology ideal for those retailers that have no need to retain card data. ?
A follow-up paper on point-to-point encryption from the PCI SSC is scheduled for 2011, which will expand upon their P2PE recommendations.?