Offsite Backup and IT Disaster Recovery for PCI DSS Compliance

Posted 6.20.13 by
wpadmin
Blog

For companies that deal with credit cardholder data, including e-commerce, retail, franchise, etc., the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by the major credit card brands.

For companies that deal with credit cardholder data, including e-commerce, retail, franchise, etc., the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by the major credit card brands.

Of the 12 PCI DSS requirements and sub-requirements, 12.9.1 dictates:[1]

Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data back-up processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

In addition, the PCI standard 9.5 requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis.[2]

Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.

The auditor testing procedures call for observation of the storage location’s physical security. A PCI compliant data center should have proper physical security including limited access authorization, dual-identification control access to the facility and servers, and complete environmental control with monitoring, logged surveillance, alarm systems and an alert system.

Ideally, if outsourcing your disaster recovery solution, partner only with a disaster recovery provider that allows physical tours and walkthroughs of their facilities. What else should you look for in a PCI disaster recovery provider?

  • Policies and procedures, process documents, training records, incident response/data breach plans, etc.
  • Proof that all PCI requirements are in place and sufficiently compliant within the scope of their contracts

PCI DSS White PaperRead more about the required network and technical security, and high availability infrastructure in PCI Compliant Data Centers. For a complete guide to outsourcing data hosting and disaster recovery solutions, read our PCI Compliant Hosting white paper.


[1] PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, Version 2.0; https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (PDF)

[2] PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, Version 2.0; https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (PDF)

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!

  • This field is for validation purposes and should be left unchanged.