Because it’s worth it. It’s the one that really helps an executive sleep at night.
We’ve done HIPAA, SAS 70, SSAE 16, SOC 1/SOC 3 audits, but PCI DSS does the deepest dive, by far. PCI includes source code reviews, requires custom penetration testing and well-documented procedures, policies and change management processes.
PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn’t specifically state the use of a firewall. The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It’s those prescriptive solutions that drive up the cost of passing an audit. Here’s an explanation of Web Access Firewall (WAF) and the Annual Penetration Testing:
PCI also requires file integrity monitoring to ensure configuration files are not nefariously modified, SSL certificates to secure web traffic and dual-factor authentication for administrators. All of these technologies require staff to research, select, install, configure, monitor and maintain the increasing TCO (Total Cost of Ownership) of PCI.
But it’s worth it. In today’s world, data is your business. You can’t operate without it, so we welcome the protections prescribed by PCI regulations in order to provide PCI compliant hosting.
PCI also requires a robust and complete suite of documentation, procedures, policies and change management which further increase the TCO. But that’s for another blog entry…
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.