12-12-11 | Blog Post
Because it’s worth it. It’s the one that really helps an executive sleep at night.
We’ve done HIPAA, SAS 70, SSAE 16, SOC 1/SOC 3 audits, but PCI DSS does the deepest dive, by far. PCI includes source code reviews, requires custom penetration testing and well-documented procedures, policies and change management processes.
PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn’t specifically state the use of a firewall. The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It’s those prescriptive solutions that drive up the cost of passing an audit. Here’s an explanation of Web Access Firewall (WAF) and the Annual Penetration Testing:
PCI also requires file integrity monitoring to ensure configuration files are not nefariously modified, SSL certificates to secure web traffic and dual-factor authentication for administrators. All of these technologies require staff to research, select, install, configure, monitor and maintain the increasing TCO (Total Cost of Ownership) of PCI.
But it’s worth it. In today’s world, data is your business. You can’t operate without it, so we welcome the protections prescribed by PCI regulations in order to provide PCI compliant hosting.
PCI also requires a robust and complete suite of documentation, procedures, policies and change management which further increase the TCO. But that’s for another blog entry…