This is the second in the series on PCI Compliance by guest blogger Adam Goslin, an experienced consultant that assists companies with achieving and maintaining PCI Compliance. PCI compliant hosting is important for all of our clients who hold and handle credit card information. The series explains the six objectives of PCI DSS, what to look for in a PCI compliant data center, and how to maintain PCI compliance for your company. We hope that you find it useful and we welcome your feedback.
The first blog in this series provided a historical overview and introduction to PCI compliance. This blog provides an overview of PCI DSS, which is aligned into 6 principles of PCI compliance (also known as “control objectives”) that describe at a high level the 12 requirements of PCI DSS compliance.
The first principle of PCI compliance is “Build and Maintain a Secure Network.” This principle of PCI compliance encompasses requirements covering the data center network including firewalls (implementation, lockdown, port justification, and more) and vendor defaults (modification of vendor supplied defaults, configuration standards, encryption of non console administrative access, and more).
The second principle of PCI compliance is “Protect Cardholder Data.” This principle encompasses requirements covering protection of stored cardholder data (keeping storage to a minimum, restrictions on the data stored, storage encryption and more) and transmission encryption to and from the data center across public networks (encryption standards when transmitting, wireless transmission standards, restrictions against unencrypted transmission of cardholder data, and more).
The third principle of PCI compliance is “Maintain a Vulnerability Management Program.” This principle encompasses requirements covering anti-virus software (installation, capabilities, functionality, and more) and secure systems/applications (patching, security vulnerability awareness, security in the systems development lifecycle, and more).
The fourth principle of PCI compliance is “Implement Strong Access Control Measures.” This principle encompasses requirements covering cardholder data access restrictions (access on a need-to-know basis, access tracking, access forms, and more), assigning unique IDs by individual (password requirements, two-factor authentication, password encryption, and more) and physical access restrictions to the data center and the managed servers. This is where Online Tech has been a lifesaver for several of my clients as they deploy in Online Tech’s PCI compliant data center. Online Tech takes care of all the physical access controls, video requirements, visitor requirements, backup storage requirements, network security.
The fifth principle of PCI compliance is “Regularly Monitor and Test Networks.” This principle encompasses requirements covering logging and monitoring access to network resources / cardholder data (central logging, logging requirements, logging review requirements, and more) and regular testing of security systems and processes (wireless analyzer, vulnerability scanning, penetration testing, and more).
The sixth principle of PCI compliance is “Maintain an Information Security Policy.” This principle contains one requirement, which covers (you guessed it) the need for an up to date and thorough Information Security Policy (incident response planning, role/responsibility assignments, employee usage requirements, and more).
For all of the above principles of PCI compliance – these will be covered in subsequent blog posts in this series in depth, and will include the benefit of prior lessons learned.
For more information about PCI compliance and PCI compliant hosting, check out the following resources:
Levels of PCI Compliance: Do you know what level your business falls under to meet PCI compliance? While the 12 PCI compliant requirements are dictated by the PCI Security Standards Council (PCI SSC), compliance is enforced by the credit card issuer companies, including Visa, MasterCard, American Express, Discover and JCB International. (read more)
PCI Compliant Data Centers: This white paper explores the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria. (read more)
PCI DSS 3.0: Complete List of Newly Added Requirements: The new PCI DSS 3.0 document contains a number of clarifications, additional guidance and evolving requirements, according to how the PCI SSC refers to the changes. (read more)
Adam Goslin, Co-Founder, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, recently leading the IT and Infrastructure teams of a major Supply Chain Development company through Level 1 PCI DSS Compliance. Adam went on to found the full-service security firm, High Bit Security, LLC., specializing in cost-effective network and application layer Penetration Testing, and assisting companies looking to achieve or maintain their Payment Card Industry Data Security Standards (PCI-DSS) compliance.
For more information about PCI compliance, you can email Adam at [email protected]
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.