Posted By Industry Perspectives On April 6, 2010 @ 7:12 am In Industry Perspectives | 1 Comment
Nathan Hatch is President and CEO of C7 Data Centers , a privately held company focused on providing high-value data center solutions for colocation, disaster recovery, data backup and virtualization.
Potential data center customers often ask data center operators if they are “PCI Compliant.” There has been some confusion surrounding the answer to this question. Data center providers normally do not have anything to do with their customer’s sensitive information handling procedures. To clarify and answer the PCI question, let’s discuss the responsibilities of the data center and the responsibilities of the merchant or service provider (data center customer).
What exactly is PCI compliance?
PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the policies and procedures that your business handles information to the PCI DSS standard.
For a company (service provider or merchant) that is hosted in a data center to be PCI Compliant, it must restrict its information handling procedures to the PCI DSS requirements, and have an attestation of that compliance.
These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS)  page on the PCI Security Standards Council website.
The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2  to determine which self-assessment questionnaire (SAQ) is appropriate for your company.
A data center provides facilities for companies and merchants to house servers as they conduct their business. In that capacity, the data center provider has specific responsibilities that must follow PCI Compliance. A merchant or company that is located within a PCI Compliant data center is not automatically PCI Compliant. Each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance, detailing their sensitive information procedures as they follow the PCI standard.
Data centers are required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ. As an example let’s look at a sample of the PCI requirements.
In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:
“The questions for Requirements 9.1-9.4 only need to be answered for facilities with ‘sensitive areas’ as defined here. ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”
The following questions are the specific listed Requirements 9.1-9.4 for data centers:
The responsibilities for merchants and companies that process sensitive information and that are located in a data center, per the SAQ Validation, are summarized as follows:
Build and Maintain a Secure Network
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
A. Protect stored cardholder data
B. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
A. Use and regularly update anti-virus software of programs
B. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
A. Restrict access to cardholder data by business need-to-know
B. Assign a unique ID to each person with computer access
C. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes
Maintain an Information Security Policy
A. Maintain a policy that addresses information security for employees and contractors
Additional PCI DSS Requirements for Shared Hosting Providers
A. Shared hosting providers must protect cardholder data environment
Working with each customer data center providers can ensure a safe, compliant and successful hosting experience. Knowing and understanding what PCI compliance is and who is responsible for which parts will lead to even more success for all involved in the process.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process  for information on participating. View previously published Industry Perspectives in our Knowledge Library .
Article printed from Data Center Knowledge: http://www.datacenterknowledge.com
URL to article: http://www.datacenterknowledge.com/archives/2010/04/06/pci-compliance-who-manages-what/
URLs in this post:
 C7 Data Centers: http://www.c7dc.com/
 About the PCI Data Security Standard (PCI DSS): https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
 PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml
 guidelines and submission process: http://www.datacenterknowledge.com/industry-perspectives-thought-leadership/
 Knowledge Library: http://www.datacenterknowledge.com/previously-published-industry-perspectives/
 Industry Perspectives: http://www.datacenterknowledge.com/archives/author/industryp/
Copyright © 2012 Data Center Knowledge. All rights reserved.