06-20-13 | Blog Post

Offsite Backup and IT Disaster Recovery for PCI DSS Compliance

Blog Posts

For companies that deal with credit cardholder data, including e-commerce, retail, franchise, etc., the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by the major credit card brands.

Of the 12 PCI DSS requirements and sub-requirements, 12.9.1 dictates:[1]

Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data back-up processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

In addition, the PCI standard 9.5 requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis.[2]

Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.

The auditor testing procedures call for observation of the storage location’s physical security. A PCI compliant data center should have proper physical security including limited access authorization, dual-identification control access to the facility and servers, and complete environmental control with monitoring, logged surveillance, alarm systems and an alert system.

Ideally, if outsourcing your disaster recovery solution, partner only with a disaster recovery provider that allows physical tours and walkthroughs of their facilities. What else should you look for in a PCI disaster recovery provider?

  • Policies and procedures, process documents, training records, incident response/data breach plans, etc.
  • Proof that all PCI requirements are in place and sufficiently compliant within the scope of their contracts

PCI DSS White PaperRead more about the required network and technical security, and high availability infrastructure in PCI Compliant Data Centers. For a complete guide to outsourcing data hosting and disaster recovery solutions, read our PCI Compliant Hosting white paper.


[1] PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, Version 2.0; https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (PDF)

[2] PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, Version 2.0; https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (PDF)

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved