07-09-12 | Blog Post
PCI DSS Compliance (Payment Card Industry Data Security Standards) – those in the e-commerce, financial and retail industry know this means a lot of money, time and manpower. Many try to skirt around the issue and avoid investing in a PCI hosting partner that has been independently PCI audited and go for the cheaper guy. Why don’t you want to do that? Because you don’t want to suffer a data breach and the costly legislation, fees and reputation management that results.
And because the cheaper guy doesn’t even know what PCI compliance is, nor what technical or physical security requirements should be in place on his end to help you achieve compliance.
A few weeks ago, the FTC filed suit against Wyndham Worldwide, a major hotel chain including three subsidiaries, for the 600,000 credit cardholder data that was stolen in less than two years and in three different incidences. This resulted in more than $10.6 million in fraud loss, according to the FTC’s lawsuit. Not sure why it took two more subsequent data breaches than necessary to elicit a lawsuit, but three certainly calls for serious action.
[In the HIPAA compliance world of healthcare, subsequent data breaches would show a lack of ‘due diligence’ or ‘willful neglect,’ meaning the organization or business failed to prove they had the standard security in place to meet compliance. Or, if they contracted with a third party, they had failed to thoroughly vet their service provider for their ability to meet compliance. Although this list is HIPAA-specific, it can still be handy to apply to all data center providers for all types of compliance needs – read up on the top Five Questions to Ask Your HIPAA Hosting Provider].
Back to the Wyndham case – in all three incidences, hackers were the root cause of the data breaches. They had compromised the security of Wyndham’s data center located in Phoenix, Arizona, in which their corporate network and central reservation system is housed. According to the lawsuit, Wyndham failed to have a lot of standard, PCI security measures in place, both at their data center and at their chain of hotels. Here’s a list of what they were charged with (and what you should avoid):
The actual case is a very interesting read (if you’re into reading lawsuits), as it details how the hackers got into the system in each incident. I listed all of their weak points as a way to educate you on how to avoid a data breach, and create a stronger case for partnering with a PCI hosting provider.
A PCI hosting provider knows certain things – like that the encryption of cardholder data, daily log review and WAFs are required to appropriately secure credit card information – plus, they know how to deploy this technology for you or refer you to a trusted partner. A managed hosting provider also knows that server operating systems need patch management and updates in order to keep up with the latest security vulnerabilities. And a PCI hosting provider knows they should not have access to any credit cardholder data stored on your servers.
To find out more about what a PCI compliant data center and hosting provider should entail, read our PCI Compliant Data Center white paper. This white paper explores the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.
Or use additional PCI resources below to learn about the standards, if you need/how to achieve compliance, and more:
FTC v. Wyndham Worldwide and Subsidiaries (PDF)