Nathan Hatch is President and CEO of C7 Data Centers, a privately held company focused on providing high-value data center solutions for colocation, disaster recovery, data backup and virtualization.
C7 Data Centers
Potential data center customers often ask data center operators if they are “PCI Compliant.” There has been some confusion surrounding the answer to this question. Data center providers normally do not have anything to do with their customer’s sensitive information handling procedures. To clarify and answer the PCI question, let’s discuss the responsibilities of the data center and the responsibilities of the merchant or service provider (data center customer).
What exactly is PCI compliance?
PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the policies and procedures that your business handles information to the PCI DSS standard.
For a company (service provider or merchant) that is hosted in a data center to be PCI Compliant, it must restrict its information handling procedures to the PCI DSS requirements, and have an attestation of that compliance.
These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.
The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which self-assessment questionnaire (SAQ) is appropriate for your company.
A data center provides facilities for companies and merchants to house servers as they conduct their business. In that capacity, the data center provider has specific responsibilities that must follow PCI Compliance. A merchant or company that is located within a PCI Compliant data center is not automatically PCI Compliant. Each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance, detailing their sensitive information procedures as they follow the PCI standard.
Data centers are required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ. As an example let’s look at a sample of the PCI requirements.
In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:
“The questions for Requirements 9.1-9.4 only need to be answered for facilities with ‘sensitive areas’ as defined here. ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”
The following questions are the specific listed Requirements 9.1-9.4 for data centers:
- 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
- 9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
- 9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?
- 9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
- 9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
- 9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
- 9.3 Are all visitors handled as follows:
- 9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
- 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
- 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
- 9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?
- 9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
- 9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
The responsibilities for merchants and companies that process sensitive information and that are located in a data center, per the SAQ Validation, are summarized as follows:
Build and Maintain a Secure Network
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
A. Protect stored cardholder data
B. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
A. Use and regularly update anti-virus software of programs
B. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
A. Restrict access to cardholder data by business need-to-know
B. Assign a unique ID to each person with computer access
C. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes
Maintain an Information Security Policy
A. Maintain a policy that addresses information security for employees and contractors
Additional PCI DSS Requirements for Shared Hosting Providers
A. Shared hosting providers must protect cardholder data environment
Working with each customer data center providers can ensure a safe, compliant and successful hosting experience. Knowing and understanding what PCI compliance is and who is responsible for which parts will lead to even more success for all involved in the process.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.