Disaster Recovery & Backup with PCI Hosting Providers

Posted 8.28.12 by

I wrote about PCI compliant hosting data storage guidelines last week, and transparency with PCI cloud hosting providers in July, but not much focus has been placed on the PCI DSS standard 12.9.1 that requires organizations to create an incident response plan in the event of a system breach.

As a PCI hosting provider, that translates into offsite backup and disaster recovery as the complete incident response solution to ensure that data and applications are safe should any issues in availability or uptime arise. Some PCI hosting providers will require you to set up, monitor, and maintain your own backups, so it’s important to check their ability to fulfill the actual requirements while searching for a complete solution.

What does the actual requirement entail? The PCI DSS incident response plan requires:

  • Roles, responsibilities, communication and contact strategies in the event of a system compromise, including:
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises (for example, amount of time to notify, who to notify, state laws, industry laws, etc.)
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

Creating an incident response team with designated responsibilities and roles, including a head Risk Management and Security Officer that will oversee incident response operations. Online Tech’s Director of Operations also serves as our Risk Management and Security Officer, and all new and current employees have received security training per compliance requirements.

[A complete disaster recovery and backup plan is also ideal for healthcare organizations that need to meet HIPAA compliance. Read more about this in our HIPAA Compliant Hosting white paper].

Data at rest, including on portable digital media, backup media and in logs, must be encrypted, per PCI standard 3.4. Below is a diagram of Online Tech’s offsite backup service which can be found in our PCI Compliant Hosting white paper that details other requirements you should expect your PCI hosting provider to provide:

Offsite Backup

Offsite Backup

Recommended Reading:
Incident Response and 2012 Cyber Threats & Security (Upcoming free webinar)
PCI Compliant Hosting: Data Storage Guidelines
PCI Compliant Data Center Requirements
Transparency with PCI Hosting Providers: Not Always Included

PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!