Below are some basic questions that you may ask while you are evaluating PCI DSS-compliant cloud hosting services providers:
Understanding PCI DSS Compliance
The Payment Card Industry Data Security Standards (PCI DSS) are serious business, and the risk associated with noncompliance is great.
PCI DSS are international standards created and maintained by the PCI Security Standards Council (SSC), which represents the major card brands (i.e., American Express, Discover Financial Services, JCB International, MasterCard, Visa Europe and Visa Inc.). Non-compliance with the PCI security standards developed by the SSC carries stiff penalties of between $5,000 to $100,000 per month.
The PCI DSS requirements extend across operational procedures and technical engineering. Covering security processes and infrastructure, there are 289 controls that must be met within DSS 2.0 and there are still more in DSS 3.0. The individual sub-controls alone represent a potential challenge to many organizations. In terms of its scope, complying with PCI DSS requires considerable resources and time. That’s where we can help.
Who Needs PCI DSS Hosting?
Any entity that accepts, stores, processes or transmits cardholder data (associated with most globally issued payment cards, including credit, debit, store and those company purchasing cards that also carry the logo of a PCI brand member), is subject to PCI DSS.
From an organizational perspective, failure to comply with PCI DSS can result in hefty fines, and potentially, the loss of the ability to process credit cards.
PCI compliance is imperative, especially when dealing with networks that contain personal information about customers/ patients and employees. Any breach of security can have implications beyond the breached company, leading to financial loss, damaged reputations, and a loss of clients and business.
What Does It Mean To Be a PCI DSS Compliant Hosting Provider?
AISN is routinely and extensively audited by a qualified, independent third party, KirkpatrickPrice, who then certifies our compliance with PCI DSS. In security terms, our status as a provider of PCI DSS-compliant hosting means that we adhere to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
From an operational standpoint, it means that we’re actively ensuring that your customers’ payment card data is protected and safe throughout every transaction. It’s important to remember that hosting in AISN’s PCI DSS-compliant environment does not make your entire organization automatically PCI-compliant – only your hosted environment.
The PCI DSS Specifies 12 Requirements for Compliance. Can AISN Help With These?
Yes, AISN can help with all 12. These 12 high-level requirements for compliance, which have not changed since the inception of the standard, are organized into six logically related “control objectives.” The 12 requirements are then broken down into numerous and complex sub-requirements. Some of the requirements are the responsibility of the service provider, some are the responsibility of the client, and still others represent a shared responsibility between the client and service provider.
Since each environment that we engineer is unique and fully customized to the client’s needs, let’s get a conversation started about how AISN can help you with your unique needs, including data backup and disaster recovery.
|Objective||Requirement||Can AISN Help?|
|Build and Maintain a Secure Network. Where transactions can be conducted, including the use of effective firewalls and the ability for customers to conveniently and frequently change personal, sensitive authentication data such as passwords and personal identification numbers. Ensure that cardholder information is protected wherever it is stored, including the digital encryption of data when it comes to all forms of credit-card transactions, especially with regards to e-commerce.||Install and maintain a firewall configuration to protect cardholder data.||Yes. Ask about our managed firewall and router configuration standards.|
|Do not use vendor supplied defaults for system passwords and other security parameters.||Yes. Ask about our secure remote administrative access, hardened operating systems, network scanning and vulnerability assessments.|
|Protect stored cardholder data.||Yes. Nearly all of the responsibility here is on the client but let’s discuss how the secure data disposal responsibility is shared.|
|Encrypt transmission of cardholder data across open, public networks.||Yes. Ask about our SSL Certificates.|
|Maintain a Vulnerability Management Program. Protect against the activities of malicious hackers by establishing robust systems that are free of bugs and vulnerabilities through cutting-edge anti-spyware programs and anti-virus software.||Use and regularly update antivirus software or programs.||Yes. Ask about our managed antivirus solutions.|
|Develop and maintain secure systems and applications.||Yes. Ask about our managed web application firewall, change control, OS patching/updating and risk rankings.|
|Implement Strong Access Control Measures. Ensure the protection of cardholder information through restricting and controlling access to system information and operations. Electronically, this could mean ensuring that every person who uses a computer in the system is assigned a confidential and unique identification number. Physically, this could include the use of document shredders and avoiding unnecessary paper document duplication.||Restrict access to cardholder data by the business’ need to know.||Yes. Ask about our managed active directory.|
|Assign a unique ID to each person with computer access.||Yes. Ask about our secure remote access and two-factor authentication options.|
|Regularly Monitor and Test Networks. Ensure that all security measures and processes are functioning properly and kept up-to-date, and that all exchanged data, applications, storage, and random-access memory is scanned with anti-virus and anti-spyware programs.||Restrict physical access to cardholder data.||Yes. Ask about touring our Tier III or Tier IV data centers as well as secure data deletion.|
|Track and monitor all access to network resources and cardholder data.||Yes. Ask about our time synchronization and daily log management.|
|Define, maintain, and implement formal information security policies at all times.||Regularly test security systems and processes.||Yes. Ask about our intrusion detection/prevention, file integrity monitoring, rogue wireless scanning, malware and anti-virus security as well as the internal/external vulnerability scans, internal/external penetration testing and threat management tests performed by our compliance experts.|
|Maintain a policy that addresses information security for all personnel.||Yes. Ask about how our auditing experts can help you develop an information security policy that addresses all aspects of PCI compliance, a security awareness program for staff and an incidence response plan. Also ask about how our compliance experts can help with risk assessments, security assessments, usage policies, planning business continuity (data backup/disaster recovery) and records maintenance.|
Where Can I Get More Information About PCI DSS?
For further information, consult the PCI Security Standards Council website. Visit: https://www.pcisecuritystandards.org