A common question that organizations pose to the HOSTING team is, “What are some of the requirements for a PCI compliant hosting data center?” Many cloud service providers claim to have PCI compliant hosting data centers, but fall short of meeting all of the requirements as prescribed by the Payment Card Industry Data Security Standard (PCI DSS). Following is a partial list of key PCI audited data center requirements.
3.1.2 PCI Audited Data Center Requirements
The following PCI compliant data center requirements are the foundation for the security and availability of critical data and applications. When evaluating potential PCI compliant hosting providers, be sure they can provide the following:
22.214.171.124 – Third-party independent PCI DSS Audit Report
Any cloud provider that claims to offer PCI compliant hosting services should readily produce a copy of their audit report(s) to show that they are following policies and procedures as outlined by PCI DSS. The CSP’s audit report should detail the controls they implement to meet the 12 PCI DSS requirements.
Read our blog post, PCI Compliance Audits Don’t Have to Be Scary, for a list of 12 high-level requirements on the PCI compliance checklist.
For a cloud hosting provider that outsources storage, processing or transmission of cardholder data to a third-party service provider, the Report on Compliance (ROC) must list the role of each service provider. It should also detail which PCI requirements apply to the cloud provider and which apply to the third-party service provider.
Keep in mind that the customer also has responsibility for adhering to some of these requirements – either on their own, or in collaboration with the cloud hosting provider. It’s up to the customer to make sure that all requirements are being met on both sides.
126.96.36.199. PCI Audited Staff and Documented Security Policies
As we emphasized in our recent webinar, 4 Hidden Cloud Security Costs and Risks, people, processes and culture play a significant role in cloud security. Organizations should carefully review the details related to security controls in the cloud provider’s audit reports. Pay attention to their security policies and the role they play in their day-to-day operations. The cloud provider’s policies should also take into account any security updates and policy changes, especially if significant changes occur within the company (e.g., layoffs, acquisitions, etc.).
All staff working in a PCI compliant hosting data center should be trained in handling cardholder data in a secure manner. They should also have regular training on how to maintain a secure PCI compliant hosting data center. Finally, they should be trained on how to respond to a cyberattack or security breach.
188.8.131.52. Data Center Security
PCI compliant data centers have a three-pronged security approach:
- Physical security – this means that only authorized personnel have “as needed” access to the physical components of a data center including server racks, suite and cages.
- Environmental security – key elements include 24 x 7 monitoring, video surveillance and multi-factor authentication such as key card and biometric hand scans. Companies should also ask to see the specific requirements cloud hosting providers have on allowing visitors into their data centers or facilities that contain cardholder data.
- Network security – the should protect sensitive infrastructure such as managed dedicated servers, cloud servers and power and network infrastructure by restricting access to an “as-needed” basis. Companies should keep in mind that their PCI compliant cloud hosting provider should never need, nor ask for, access to cardholder data.
Contact the HOSTING team of certified information security and compliance experts anytime to review the full list of PCI compliant hosting requirements with you. And view our on-demand webinar, Securing PCI Data in the Cloud, for more information.