Copyright Online Tech 2012. All Rights Reserved.

page 1 of 27
PCI Compliant Data Centers
1.0. Executive Summary
2.0. Impact of PCI DSS on Data Centers
3.0. What is a PCI Compliant Data Center?
3.1. PCI Compliant Data Center Architecture
3.1.1. Requirements
3.1.2. PCI Audited Data Center Requirements
3.1.2.1. Third Party Independent PCI DSS Audit Report
3.1.2.2. PCI Audited Staff and Documented Security Policies
3.1.2.3. Data Center Security
3.1.2.4. Data Center Portal
3.1.3. High Availability, Secure Network Requirements
3.1.3.1. High Availability, Redundant Firewalls (IDS/IPS)
3.1.3.2. High Availability, Redundant Routers
3.1.3.3. High Availability, Redundant Internet Service Providers
3.1.3.4. Two-Factor Authentication
3.1.3.5. Vulnerability Scanning
3.1.3.6. Web Application Firewall (WAF)
3.1.3.7. SSL Certificate (Web Apps)
3.1.4. Secure Server Environment Requirements
3.1.4.1. Antivirus
3.1.4.2. OS Patch Management
3.1.4.3. File Integrity Monitoring (FIM)
3.1.4.4. Encryption
3.1.4.5. Daily Log Review
3.1.4.6. Backup and Disaster Recovery
3.1.4.7. Penetration Testing
4.0. Outsource vs. In-House
4.1. Benefits of Outsourcing Hosting
4.2. Risks of Outsourcing Hosting
5.0. Vendor Selection Criteria
5.1. PCI DSS Compliant Business Associates
5.2. Other Key Data Center Considerations
6.0. Conclusion
7.0. References
7.1. Questions to Ask Your PCI Hosting Provider
7.2. Data Center Standards Cheat Sheet

Copyright Online Tech 2012. All Rights Reserved. page 2 of 27

1.0. Executive Summary
Engaging customers online is a necessity for every business today. Brick and mortar traditional
retail shopping experiences compete aggressively with online buying experiences, with local
customers often choosing to buy online even if the store is right down the street. Key banking
and bill processing transactions are only a mobile app away, making both e-commerce
transactions and the the number of end points touching cardholder data prolific. Established
companies have to become online and mobile before the younger, nimbler competition
absconds with the mobile market share. Nascent startups have to provide mature transaction
security to protect their reputation with customers and access to credit lines.

Two primary business drivers impact the data center: security and availability. Security
protects cardholder data.The major financial institutions collaborated to define PCI DSS
(Payment Card Industry Data Security Standards) with a minimum set of security
measurements to protect the waterfall of sensitive identity and payment information flowing
through the Internet. Businesses that dont meet the standard are risking steep fines, loss of
credit card processing rights, customer loyalty and legal costs in the event of a breach.

Availability protects company cash flow. Availability can be protected by investing in

redundancy throughout the IT infrastructure every minute of downtime has a direct impact on
the bottom line.

Every company that accepts credit card payments must be PCI compliant. Companies who can
afford to build their own PCI compliant IT infrastructure must invest in the resources to maintain
ongoing diligence with operating system and application security patches, daily log review,
periodic vulnerability scanning, and annual penetration testing. Companies that are not in a
position to build a PCI compliant infrastructure, or maintain the required rigorous daily demands,
look to outsource their IT infrastructure to a partner who has met PCI compliance. A PCI
compliant hosting partner can both relieve the initial CapEx investment and ongoing daily
compliance burdens.

Outsourcing IT infrastructure is a strategy that allows companies to focus their in-house IT

resources on their own end-user applications instead of the operating systems or hardware.
Hosting partners who provide an auditors opinion from an independent PCI DSS audit can also
drastically reduce the cost and complexity of PCI SAQs (Self-Assessment Questionnaires) and
third-party PCI QSA audits.

This white paper explores the impact of the PCI DSS standard on data centers and server
infrastructure, describes the technical and contractual architecture of a PCI DSS compliant data
center, and outlines the benefits and risks of data center outsourcing and vendor selection
criteria.

Copyright Online Tech 2012. All Rights Reserved. page 3 of 27

2.0. Impact of PCI DSS on Data Centers
Protecting the confidentiality, integrity, and availability of electronic cardholder data (CHD) is the
essence of the PCI DSS standard. Any company that stores, transmits, or processes payment
information must meet PCI DSS compliance. Since data centers typically store, transmit, or
process e-commerce transactions, they must be PCI DSS compliant, whether in-house or
outsourced.

There are 4 merchant levels of PCI compliance based on the number of payment
transactions performed.

PCI Compliance Level 1: Over 6 million Visa and/or Mastercard transactions

processed per year
PCI Compliance Level 2: 1 million to 6 million Visa and/or Mastercard transactions
processed per year
PCI Compliance Level 3: 20,000 to 1 million Visa and/or Mastercard e-commerce
transactions processed per year
PCI Compliance Level 4: Less than 20,000 Visa and/or Mastercard e-commerce
transactions processed per year all other companies that process up to 1 million
Visa transactions per year

While merchants at every level must be compliant with PCI DSS standards, compliance
for Level 1 merchants is the most demanding, and requires an independent audit by a
certified QSA.

Every e-commerce company must complete an assessment of PCI DSS compliance.

While levels 2-4 can self-assess, level 1 companies must invest in an independent audit.
Working with a PCI savvy partner that can provide documentation, also known as a PCI
Report on Compliance (ROC), of key audit areas to PCI DSS auditors can significantly
reduce time, costs, and complexity of annual audits.

Copyright Online Tech 2012. All Rights Reserved. page 4 of 27

3.0. What is a PCI Compliant Data Center?
All companies that store, transmit, or process card holder data, including data center operators,
need to meet all 12 requirements of the PCI DSS standard1.

These standards include:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security
parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

3.1. PCI Compliant Data Center Architecture

The diagram below shows a hosting architecture that meets the 12 requirements of the PCI
DSS standard. Each element is described in the following pages. Make sure your company
addresses every aspect. If you outsource your IT infrastructure, make sure you understand
which parts you are responsible for, which your vendor takes responsibility for, keeping in mind
that some aspects will require attention from both you and your hosting partner. Clearly define
the technologies included in the initial implementation, and all of the ongoing daily monitoring
and maintenance that PCI DSS compliance requires.

In order to meet the 12 PCI DSS requirements, companies should have certain network and
server technology in place to ensure optimal data security and availability. Penetration testing is
required by PCI on an annual basis and after any environmental changes.

If outsourcing, companies should ensure their data and applications are housed in a PCI
audited data center with the following: third party independent PCI audit report; PCI audited staff
and policies; change management and documentation; data center security and data center
portal.

High availability, secure network requirements include high availability, redundant firewalls,
routers and Internet service providers; two-factor VPN access; vulnerability scanning;
penetration testing; web application firewalls and SSL certificates.

A secure server environment requires daily log review, OS (operating system) patch
management, antivirus, file integrity monitoring (FIM), and data encryption. A complete offsite
backup and disaster recovery solution is also required.

1
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 5 of 27

Copyright Online Tech 2012. All Rights Reserved. page 6 of 27
3.1.1. Requirements

3.1.2. PCI Audited Data Center Requirements

The following PCI audited data center requirements are essential for a multi-layered approach
to security and availability of critical data and applications. If outsourcing, ensure your PCI
hosting provider offers each of the following:

3.1.2.1. Third Party Independent PCI DSS Audit Report

A PCI hosting provider should be willing to share a copy of their audit report under NDA to
ensure they are following compliant policies and procedures. Ask your PCI hosting provider if
they can provide a copy of their independent audit report detailing the controls implemented to
meet the 12 PCI DSS requirements. According to the PCI Security Standards Council:

For those entities that outsource storage, processing or transmission of cardholder data
to third-party service providers, the Report on Compliance (ROC) must document the
role of each service provider, clearly identifying which requirements apply to the
assessed entity and which apply to the service provider.2

Be clear that some of the standards you will be exclusively responsible for; some require mutual
effort by your company and the hosting provider; others such as physical security may be the
responsibility of only the hosting provider. Make sure you follow your due diligence to ensure all
controls are appropriately covered between your company and the hosting provider.

3.1.2.2. PCI Audited Staff and Documented Security Policies

The most secure technologies are rendered useless without a culture of security and process
that assures policies and procedures are documented, followed, and independently audited.
Review the details of security controls in independent audit reports. They should reflect a solid
foundation of secure policies that guide day-to-day operations. Policies should also include
change management documentation to outline security updates and protocol after significant
changes occur in the company.

All staff should be trained in handling credit cardholder data in a secure manner, as well as
trained on how to maintain the physical and environmental security of a PCI compliant data
center. PCI requirement 12.6 requires organizations to:

Implement a formal security awareness program to make all personnel aware of the
importance of cardholder data security.

Knowing what to do in the event of a data breach is also required by 12.9.4:

Provide appropriate training to staff with security breach response responsibilities.

3.1.2.3. Data Center Security

PCI compliant data centers require physical, network and data security. Physical security means
only authorized personnel should have limited access to server racks, suites and cages.

2
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 7 of 27

Environmental controls should include 24x7 monitoring, logged surveillance, and multiple alarm
systems. Dual-identification control access may include the both use of a security badge and
code to gain access to restricted areas.

PCI requirement 9.1 states:

Use appropriate facility entry controls to limit and monitor physical access to systems in
the cardholder data environment.

As a testing procedure, 9.1 states:

Verify the existence of physical security controls for each computer room, data center,
and other physical areas with systems in the cardholder data environment. Verify that
access is controlled with badge readers or other devices including authorized badges
and lock and key.

Sub-requirements under requirement 9, Restrict physical access to cardholder data, also

mandate the use of video cameras and/or access control mechanisms to monitor physical
access to sensitive areas; restriction of physical access to network jacks, wireless access
points, gateways, handheld devices, and more. There are also specific requirements on how to
handle visitors to data centers or facilities with cardholder data.3

Network security should protect sensitive infrastructure (managed dedicated servers, cloud
servers, power and network infrastructure) by restricted access. Data security dictates that, if
outsourcing, your PCI compliant hosting provider should never access credit cardholder data.

3.1.2.4. Data Center Portal

If outsourcing, a data center client portal can provide insight into your servers by allowing real-
time access to server statistics and performance. The ability to view bandwidth use, firewall
rules, IP address blocks, data center status, backup status and more is useful for the ability to
remotely monitor the availability and security of your servers online.

3.1.3. High Availability, Secure Network Requirements

The following network requirements ensure cardholder data and critical applications are always
available to minimize business downtime and revenue loss.

3.1.3.1. High Availability, Redundant Firewalls (IDS/IPS)

Firewalls can help meet both administrative safeguard requirements to protect cardholder data
from malicious software. There are many excellent firewalls available, but more importantly, the
data center should be protected by redundant, or high availability, firewalls so that if one fails
because of a hardware, software, or power issue, a second firewall can still stand between
payment information and a malicious attack.

Plan or evaluate with the knowledge that its not a matter of if a firewall fails, its when a
firewall fails. Look for every single point of failure in the data center and plan high-availability
redundancies anywhere they exist. For example, the firewalls should be plugged into separate
power strips that are connected to separate power feeds in the data center. If the redundant
firewalls are plugged into a single power strip that blows a fuse, all redundancy is lost.

3
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 8 of 27

3.1.3.2. High Availability, Redundant Routers
Routers are responsible for marshaling data to and from the data center. In order to ensure that
online transaction systems are always available, the data center should use redundant routers
to ensure that data traffic can still continue when one router experiences a hardware, software
or power failure. Routers should be powered by separate power strips connected to separate
power feeds for true redundancy.

3.1.3.3. High Availability, Redundant Internet Service Providers

If the data center relies on a single Internet Service Provider (ISP), the ability to process credit
card transactions is severely jeopardized. Ask if the data center has separate ISPs that connect
via different sides of the data center (multiple entrance facilities). Ask if the redundant service
providers connect all the way to the data center building directly - some use last-mile services
from another ISP and so may not provide full redundancy.

3.1.3.4. Two-Factor Authentication

PCI requirement 8.3 mandates that organizations must implement two-factor, also known as
dual-factor or multi-factor, authentication for remote access to the network by employees,
administrators, and third parties.

Two-factor authentication significantly protects against weak or stolen passwords and provides
an additional layer of protection. This requires multiple forms of identification for a login, such as
a code and a username/password combination. Biometric login systems may require a
fingerprint along with a code or badge.

For the cloud and web-based applications, dual-authentication systems require a username,
password, and a code that is sent to a mobile device by phone call or text message. Ask your

Copyright Online Tech 2012. All Rights Reserved. page 9 of 27

cloud provider if they provide dual-factor authentication services for web-based logins or
contract with a service such as Duo4 to improve CHD protection.

3.1.3.5. Vulnerability Scanning

The PCI requirement 11.2 requires vulnerability scanning as part of the 11.0 requirement to
regularly test security systems and processes:

Run internal and external network vulnerability scans at least quarterly and after any
significant change in the network (such as new system component installations, changes
in network topology, firewall rule modifications and product upgrades).

The scan checks ports open to Internet traffic and vulnerable applications and configurations
within your environment. A few examples include outdated versions of software, web
applications that arent securely coded or misconfigured networks. By testing firewalls and
networks, scanning can pinpoint any weaknesses in your systems security.

4
http://www.duosecurity.com

Copyright Online Tech 2012. All Rights Reserved. page 10 of 27

3.1.3.6. Web Application Firewall (WAF)

A Web Application Firewall (WAF) is specifically built to monitor website traffic for the
transmission of sensitive data and potentially block any network traffic that does not fit within the
allowable configuration.

Network firewalls and intrusion detection systems (IDS) cant detect or prevent many application
attacks. A WAF can detect potential application attacks, including SQL injections (database
commands sent through a web application to the backend database these commands can be
deployed to delete or extract data) and other attacks that may not be detected by an IDS.

PCI requirement 6.6 mandates the protection of credit cardholder data by developing and
maintaining secure systems and applications:

For public-facing web applications, address new threats and vulnerabilities on an

ongoing basis and ensure these applications are protected against known attacks by
either of the following methods:
Reviewing public-facing web applications via manual or automated
application vulnerability security assessment tools or methods, at least
annually after any changes
Installing a web-application firewall in front of public-facing web
applications

PCI allows merchants to choose either a WAF or code review (either manual or automated) to
fulfill the requirement. Code review can be time-consuming, complex and costly, and require the
use of many different tools. A WAF from a hosting provider can be more cost-effective and
easier to manage.

For cardholder data applications that involve a website, security is paramount, and the use of a
WAF makes sense. It is one tool in the security toolbox for consideration.

Copyright Online Tech 2012. All Rights Reserved. page 11 of 27

3.1.3.7. SSL Certificate (Web Apps)
To protect sensitive information on websites and in the cloud, an SSL (Secure Socket Layer)
certificate is a must. The SSL certificate is a special piece of software that encrypts all data
moving between two or more end-points (i.e. from a browser, to a server containing the
application or website). Since many e-commerce applications are now hosted in the cloud and
accessed by browsers (Internet Explorer, Chrome, Firefox), the SSL certificate is essential to
proper security.

PCI requirement 2.3 mandates:

Encrypt all non-console administrative access using strong cryptography. Use

technologies such as SSH, VPN, or SSL/TLS for web-based management and other
non-console administrative access.

3.1.4. Secure Server Environment Requirements

The following server requirements ensure data and application security to protect against
hackers and data loss or alteration.

3.1.4.1. Antivirus
PCI requirement 5.1 specifically requires the deployment of antivirus software on all systems
commonly affected by malicious software (particularly personal computers and servers). 5

We all use antivirus on our laptops, so using this on a server operates under the same premise:
safety and security for critical infrastructure. This is one of the most important elements of
security you can buy for the money for a managed server.

3.1.4.2. OS Patch Management

OS patch management is essential to keep up with ongoing security remedies for an
increasingly sophisticated and coordinated network of hacking threats. Required by PCI 6.1,
merchants must ensure all system components and software are protected from known
vulnerabilities by having the latest vendor-supplied security patches installed.

With all the security bulletins, holes, bugs, viruses, and security vulnerabilities announced daily
for operating systems, applications, and databases, a consistent and documented process is
needed to ensure that regular patches safeguards all systems. This may include a collection of
patching tools, processes, and procedures. A unified test, staging, and production environment
to test the patches is critical to assess the impact of patches on the system before it affects
production environments. If you outsource services, make sure you find out who is responsible
for maintaining security patches and the frequency of checking for updates.

5
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 12 of 27

3.1.4.3. File Integrity Monitoring (FIM)

File Integrity Monitoring refers to ensuring the integrity of the files on a server. The basic
technique is the comparison of the current file to the known, safe baseline. While file changes
are expected and within the normal realm of daily interaction and activity, there are a few key
changes that may trigger additional investigation such as a change of ownership, security
settings, or configuration values.

A separate FIM server is required for PCI. There are many third party software applications to
monitor and evaluate file changes and alert administrators of any suspicious activity, but be sure
to clarify who receives and is responsible for the alerts. Most PCI compliant hosting providers
will set up a FIM server, but leave the client to manage, investigate, and remediate alerts and
issues. Make sure you know whats included in the quotes you receive in terms of both the
technology and the daily care and feeding to remain PCI DSS compliant.

PCI requirement 10.5.5 mandates the use of FIM:

Use file-integrity monitoring or change-detection software on logs to ensure that existing

log data cannot be changed without generating alerts (although new data being added
should not cause an alert).6

PCI requirement 11.5 also refers to the use of FIM:

Deploy file integrity monitoring tools to alert personnel to unauthorized modification of

critical system files, configuration files or content files. Configure the software to perform
critical file comparisons at least weekly.7

6
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
7
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 13 of 27

3.1.4.4. Encryption
PCI requirement 3.4 requires encryption of PANs (Primary Account Number) anywhere they are
stored (including on portable digital media, backup media and in logs).

Data at rest are data that may be stored on servers or backup media while not in use. These
data must be encrypted in case of disk drive failure or unauthorized access. Many data
breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - this
data should not be stored on portable devices, but instead in PCI compliant data centers at an
offsite location. That way, thousands of cardholder records arent stored on any of your
computing devices, but instead in a secure location that you can access. This greatly improves
your CHD (cardholder data) security - if you lose the device, you wont lose all of the sensitive
data as well.

3.1.4.5. Daily Log Review

Daily log review is a service that analyzes logs, and sends reports of the most important
messages to the organization. These messages provide insight into any abnormalities in the
system network and servers including failed login attempts or other indicators of possible
intrusions.

This service allows the organization to know who accessed which systems and data, and their
activity while logged in. Why is this useful? It provides insight into any data leaks or potential
breaches, and allows you to track activity on your system.

Copyright Online Tech 2012. All Rights Reserved. page 14 of 27

PCI requirement 10.0, Regularly Monitor and Test Networks, mandates that those in compliance
must track and monitor all access to network resources and cardholder data.

Requirement 10.3 states:

Record at least the following audit trail entries for all system components for each event:

And goes on to list what each event is, including user identification, type of event, date and time,
success or failure indication, etc.

PCI requirement 10.6 requires log review:

Review logs for all system components at least daily. Log reviews must include those
servers that perform security functions like intrusion-detection system (IDS) and
authentication, authorization, and accounting protocol (AAA) servers (for
example, RADIUS).

Make sure you understand who will perform the daily log review. If you handle this in-house,
make sure that you allocate enough human resources to allow for a thorough review and
response. If you are outsourcing PCI hosting, be sure to clarify up front who is responsible for
reviewing the daily logs and the response process when an issue deserves further investigation
or escalation. Many hosting providers will sell a log monitoring server, but put the burden of
daily log review on their clients.

3.1.4.6. Backup and Disaster Recovery

PCI standard 9.5 requires a data backup plan, disaster recovery plan, emergency mode
operation plan, testing and revision procedures, and application and data criticality analysis.
Offsite data backups are imperative and offsite disaster recovery is strongly recommended.

Copyright Online Tech 2012. All Rights Reserved. page 15 of 27

Some PCI hosting providers will require you to set up, monitor, and maintain your own backups
- make sure you understand the level of service you are getting and any additional costs.

The standard specifically states:

Store media back-ups in a secure location, preferably an off-site facility, such as an

alternate or back-up site, or a commercial storage facility. Review the locations security
at least annually.8

PCI standard 10.7 also refers to keeping logs of user activity on systems for a certain period of
time:

Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
back-up).

Online payment transactions happen 24x7. Availability means that your critical applications and
data need to be recoverable in the event of a disaster or downtime.

Protecting cardholder data and business availability means putting procedures in place to
mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The
infrastructure to do this is defined by two perspectives:

1. Disaster Prevention - Putting all the tools in place to minimize the probability of an
outage in the data center infrastructure, server hardware, software and network
connectivity.
2. Disaster Recovery - Assuring that the applications and data can be recovered and
restored in a reasonable timeframe to continue running the business and making card-
holder data available if a disaster occurs in the primary data center.

3.1.4.7. Penetration Testing

Whether handled by a qualified internal resource or third party, penetration testing is required by
11.3. A penetration test determines whether or not unauthorized access or other malicious
activity is possible by exploiting vulnerabilities found during external and internal vulnerability
assessments as required by 11.2.

8
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Copyright Online Tech 2012. All Rights Reserved. page 16 of 27

4.0. Outsource vs. In-House
4.1. Benefits of Outsourcing Hosting

Save on Costs
Why would a merchant with credit cardholder data outsource their hosting solution to a third-
party? If you choose a PCI compliant hosting provider that has already passed a PCI audit by
an independent auditor with PCI security expertise, this can save your company time and
money by eliminating the need to audit your vendor in addition to your own business. While it
does not release you of the obligation and responsibility of meeting compliance, it may help you
achieve compliance faster and at a lower cost.

Additionally, managed hosting allows your IT team to focus on your own business, not on
keeping up with server updates and other issues that may require a stretch of resources.

Security
A PCI compliant hosting provider can provide the latest tested and audited technology to help
achieve compliance and secure your CHD. With a variety of required and recommended
security methods, you can trust experienced, certified professionals to maintain, monitor and
accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security a quality hosting provider
should have in place, including physical security, meaning only authorized personnel have
limited access to your servers, and environmental controls with logged surveillance and multiple
alarm systems to detect any unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers,

cloud, power and network infrastructure built with redundant routers, switches and paired
universal threat management devices to protect sensitive information.

Your outsourced hosting provider should never access CHD, but instead build, maintain and
monitor the secure infrastructure your sensitive information is stored and transmitted.

Availability
The use of high-availability (HA) solutions within a fully redundant and compliant data center
can allow clients to increase their uptime and protect CHD availability. Using an HA
infrastructure can reduce the risk of business downtime due to a single point of failure.
Outsourcing to a PCI hosting provider means your business can take advantage of your data
center operators design of power connections, UPS (Uninterruptible Power Supplies) systems,
generators, air conditioning, networks and more.

Flexibility
Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-
generation VMware that dominates the market for applications that require a high degree of
scalability. Choosing a high-performance managed cloud allows for the ability to scale servers
up and down as needed to respond to the demands of end-users with fast deployment time.

Copyright Online Tech 2012. All Rights Reserved. page 17 of 27

4.2. Risks of Outsourcing Hosting
The primary risk of outsourcing IT infrastructure is that your hosting provider is not truly PCI
DSS compliant. Nothing beats the documented Report on Compliance (ROC) of the hosting
providers level of PCI DSS compliance against all 12 requirements by a trusted third party. You
might have to sign an NDA to get a copy of their PCI Report on Compliance (ROC), but a
vendor who understands and invests in regular independent audits will provide a copy of their
audit report without hesitation.

Without documented proof of your hosting providers PCI compliance against all 12
requirements, the risk is on your business to ensure that your hosting partner can protect
cardholder data. Remember, its your credit line, customers, reputation, and business at risk, so
be thorough in your evaluation at the outset. Take the time to visit prospective PCI hosting
providers in person. The cost of travelling is a fraction of the cost that a breach or bad vendor
selection will cost you in the long run.

Copyright Online Tech 2012. All Rights Reserved. page 18 of 27

5.0. Vendor Selection Criteria
5.1. PCI DSS Compliant Business Associates
When a company decides to outsource PCI compliant hosting to a third party, they need to look
for certain indicators of compliance to ensure due diligence in vetting their service provider. Due
diligence can help your company prevent a potential data breach resulting in costly fines and
damage to your reputation and future growth.

PCI DSS Independent Audit Report

As the number of reported data breaches and the cost of these data breaches rise, it becomes
imperative to select hosting providers that have invested in independent audits. This means
they are willing to share a copy of their audit report under NDA to ensure they are following
compliant policies and procedures.

Ask your PCI hosting provider if they can provide a copy of their independent audit report, also
known as a PCI Report on Compliance (ROC), detailing the controls implemented to meet the
12 PCI DSS requirements. Be clear that some of the standards you will be exclusively
responsible for; some require mutual effort by your company and the hosting provider; others
such as physical security may be the responsibility of only the hosting provider. Make sure you
follow your due diligence to ensure all controls are appropriately covered between your
company and the hosting provider.

PCI Ready vs PCI Certified vs PCI Compliant

Beware of data center operators that claim to be PCI compliant or PCI Ready without an
independent PCI audit report to back up the claim. Ask enough questions to be convinced there
is an ongoing investment in independent audits and that its not just a checkbox to move past. A
culture of security and compliance should be an evident part of daily life and routine operations
at your hosting provider.

Other Data Center Audits

While a PCI DSS audit is specific to credit card transactions and the protection of cardholder
data, other data center audits can give you additional guidance and insight into a vendors
ongoing compliance and level of operating standards, as well as the quality of service you can
expect to receive.

SAS 70 9 - The Statement on Auditing Standard No. 70 was originally used to measure a
service providers controls related to financial reporting and recordkeeping. Two types
are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a
companys description of their operational controls, while Type 2 includes an auditors
opinion on how effective these controls are over a specified period of time. This audit
standard expired in June 2011 and is no longer current. A hosting provider that still
offers a SAS 70 report is out of date and out of compliance.

http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93Changes
AheadforStandardonServiceOrganizations.aspx

Copyright Online Tech 2012. All Rights Reserved. page 19 of 27

 SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced
SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial
reporting. Type 1 reports on a data centers description and assertion of controls, as
reported by the company. Type 2 provides a description of an auditors test the accuracy
of the controls and the implementation and effectiveness of controls over a specified
period of time.
SOC 110 - One of the three new Service Organization Controls (SOC) reports developed
by the AICPA, this report measures the controls of a data center as relevant to financial
reporting. It measures the same controls as an SSAE 16 audit.
SOC 211 - This report is a very detailed account of the technical aspects as they relate to
controls specifically concerning IT and data center server operators. The five controls
include security, availability, processing integrity (ensuring system accuracy, completion
and authorization), confidentiality and privacy. There are two types: Type 1 reports on a
data centers system and suitability of its design of controls, as reported by the company.
Type 2 includes everything in Type 1, with the addition of verification of an auditor's
opinion on the operating effectiveness of the controls.
SOC 312 - This report includes the auditors opinion of SOC 2 components with an
additional seal of approval to be used on websites and other documents. The report is
less detailed and technical than a SOC 2 report.
HIPAA - Mandated by the U.S. Health and Human Services Dept., the Health Insurance
Portability and Accountability Act of 1996 specifies laws to secure protected health
information (PHI), or patient health data (medical records). When it comes to data
centers, a hosting provider needs to meet HIPAA compliance in order to ensure
sensitive patient information is protected. A HIPAA audit conducted by an independent
CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA Security Specialist) can
provide a documented report to prove a data center operator has the proper policies and
procedures in place to provide HIPAA hosting solutions. No other audit or report can
provide evidence of full HIPAA compliance. Learn more about HIPAA compliant data
centers in our white paper.

As with any type of audit, only a careful review of each individual compliance report can tell you
the full scope and depth of their applicability. While two PCI DSS audits are more likely to be
consistent than some of the other industry audits such as SSAE 16 (SOC 1), SOC 2, or HIPAA
audit reports, it always pays to read the details for yourself. Any potential vendor should at least
share a copy of their independent PCI DSS audit report under NDA. If they do not, it indicates
either that they have chosen not to invest in an independent PCI DSS audit, or the auditors
opinion was unfavorable.

Breach Insurance Protection

Even if a hosting provider has excellent security policies and procedures in place to prevent a
data breach, unexpected data loss can still occur. To assess the impact on your business, and
the resources the hosting provider has on hand to remediate and recover from a data breach,
ask for a copy of any data breach insurance policy. This is important to cover the cost of
notification, investigation, litigation and any levied penalties. If the hosting provider has been put

10
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Repo
rt.aspx
11
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx
12
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc3report.aspx

Copyright Online Tech 2012. All Rights Reserved. page 20 of 27

out of business or severely compromised by the substantial costs of a breach, all of the burden
will fall upon you.

Insurance policies exist that will mitigate the costs of data breach notification, litigation and
penalties. Its a basic protection every hosting provider and e-commerce company should invest
in.

Staff Policy Training

Your PCI DSS hosting provider should have documented internal processes and policies that
are considered best practice. Within their organization, they should have an appointed Risk
Management Officer that oversees that the custom policies and procedures are being followed
and are in compliance with the PCI DSS and other regulations.

The Risk Management Officer also conducts employee training to educate and implement the
security policies and procedures that affect the day-to-day operations of their organization.
Employee training is important when it comes to any vendor handling sensitive data, as many
data breaches are a result of human error, or an employee mishandling sensitive data, and not
hacker-related. Ask your hosting provider for the most recent date of their employee policy
training and percent of employees that have completed training during the vendor selection
process.

5.2. Other Key Data Center Considerations

Ownership
As stated earlier, data ownership is especially important to review in your hosting contract.
Some providers reserve the right to access, allow access, and claim ownership of your and/or
your clients sensitive information while it is hosted on their servers or in their environment. This
is an issue that can occur especially in the cloud, as some cloud vendors may claim legal
ownership of the data once in their possession.

Another consideration is ownership and operation of the data center(s). Some hosting providers
will provide a service that is run in data centers owned and operated by different companies. In
these cases, an audit of the physical safeguards and some of the technical safeguards must be
performed against yet another company. This can sometimes add significant expense to the
audit process unless the operator can and will provide a copy of their independent PCI DSS
report. If you have no way of knowing who has access to or controls the environment that
houses your servers, let alone their level of compliance, you are putting your customers
cardhold data and your business at risk.

Geographical Location
Hosting facility location is another important consideration, as data centers located in certain
regions are more susceptible to natural disasters, risking the complete destruction of your data.
Choosing a data center located in a neutral, low-risk region such as the Midwest is one step
closer to complete data safety.

Another factor is climate - a region that allows a data center operator to take advantage of
natural cooling for most of the year also allows you, as the client, to take advantage of their
operating cost-savings. It also reduces the risk of overheating and potential hardware failure
that could affect your data availability.

Copyright Online Tech 2012. All Rights Reserved. page 21 of 27

Knowing where your data lives is key consideration - if your data leaves the country, do you still
have control of it? Make sure any international partners have a thorough understanding of the
12 PCI DSS requirements, and will share a documented opinion of a trusted third party QSA on
their state of PCI DSS compliance.

Disaster Recovery
Any e-commerce based business depends on functionality and data being always available.
Preserving the integrity of information means putting formal data backup and recovery plans in
place to ensure data can be accurately and quickly accessed in the event of a disaster or
failure. Location is important when it comes to offsite backup and disaster recovery - a copy of
your CHD in a separate location can preserve the integrity of your information.

Virtualization technologies now make warm-site (standby, or at-the-ready) disaster recovery

affordable and very robust. Theres simply no excuse for not having a secure backup of all
critical information with no more than a 24 hour discrepancy. Choose a cloud platform with a
minimum of a 4 hour RTO (Recovery Time Objective) and 24 hour RPO (Recovery Point
Objective) built on a high-availability data center infrastructure. When possible, make sure the
production and disaster recovery installations reside far apart on separate commercial power
grids with automatic failover to avoid the chance that a local natural disaster can affect both
locations (this distance is different depending on the geographical location and type of natural
disaster typical of that area).

Data Destruction
Ask your hosting provider about their technologies and methodologies used to erase sensitive
cardholder data. Electronic media should be wiped or destroyed consistent with NIST standards
outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization, to render
CHD irretrievable.

Ensuring the confidentiality of your sensitive data means knowing where your data goes after
you terminate your contract with your PCI hosting vendor. It also means knowing whether or not
there are any copies of the data leftover after you leave the vendor. If any archived,
unencrypted CHD can be found on backup tapes or servers, you are putting your business at
risk for a breach. Check your PCI hosting providers contract for specific provisions on how they
will handle data after contract termination.

High Availability
A high availability (HA) hosting infrastructure is imperative to ensuring data is always
accessible. HA solutions increase uptime and availability and lower risks. Its not a matter of if
something fails, its planning for when failures happen - and they will. In your evaluation of any
data center - yours or a third-party - endeavor to identify all of the single points of failure. Its
worth an outside opinion if reviewing your own data center (nothing beats an independent pair
of eyes) and when visiting a potential data center hosting company - ask the hard questions
whenever you suspect complete redundancy is not in place.

With HA protection in place, providers can hedge against the loss of electrical power, network
connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of
mind knowing CHD is protected, available, and safe.

A managed PCI hosting solution, including a managed cloud, takes into account several design
factors to ensure no single points of failure exist. This is true for the data center infrastructure
layer components, as well as the individual servers and components in the rack.

Copyright Online Tech 2012. All Rights Reserved. page 22 of 27

The major design points for a successful cloud implementation include building in redundancies
in critical equipment and infrastructure, including:

Power connections - Dual independent power feeds are run from disparate circuit breakers, to
two separate power supplies in the server. Each power supply on a server is plugged into
separate power strips in the rack. Power strips with digital amp load current readouts aid in
monitoring power levels and help avoid tripping a circuit breaker, which would shut down the
entire power strip.

UPS systems - Uninterruptable Power Supplies (UPS) pooled N+1 batteries clean and
distribute power and provide backup power through a bank of batteries in the event of a power
outage. The clean power from the UPS is stable; therefore, any fluctuation in power, both power
surge and brown-out, is regulated by the UPS.

Generators - Each UPS is fed with one or more power feeds from the utility company. The
utility power feed is wed to two generators that run on either diesel or natural gas. If utility power
is lost, the UPS maintain stable power to the racks while the generators start and provide
backup power. Fuel supply contracts must be in place from several vendors, and fuel delivery
SLAs must be in place.

Air conditioning N+1 redundant cooling is in place with environmental monitoring, and
scheduled maintenance plans to ensure the data center climate remains in the safe zone.

Network connections, switch and firewalls - The network connectivity in a managed cloud is
designed to replicate the same redundancy as the power distribution so the network and
Internet connectivity offer no single source of failure. Each server in the cloud should have at
least two separate Network Interface Cards (NICs) that allow the server to connect to the
redundant HA network infrastructure. Each NIC in the server is connected to different network
switches, which disperse the network connectivity to all servers contained within the cloud.

Each network connection is connected to a pair of redundant firewalls, which protects traffic on
each segment of the network from intruders and security threats. Additionally, each firewall
connection is connected to separate Cisco routers and network access switches. These routers
are then connected to multiple Internet Service Providers (ISPs) to provide diverse network
paths to and from the Internet.

Server and storage devices A high performance managed cloud relies on topnotch
technology for server hosts and SAN storage. Virtualization technologies like VMware (in its fifth
generation) dominate the market for applications that require a high degree of resiliency,
security, and scalability. The ability to scale up and down servers as needed also introduces
flexibility into the managed cloud architecture, so that clients can be responsive to the needs of
their end-users.

VMware backed by name-brand SAN and server technology create the server and storage
platforms necessary to deliver highly available cloud solutions. Regardless of which brand of
hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in
the event of a hardware failure, keeping critical systems online in the cloud.

And finally, SANs with multiple redundant controllers and high-speed RAID disk systems are
designed to meet the performance and availability needs of virtualized environments. Todays

Copyright Online Tech 2012. All Rights Reserved. page 23 of 27

SANs combine intelligence and automation with fault tolerance to provide simplified
administration, rapid deployment, enterprise performance and reliability, and seamless
scalability.

Room to Grow
When choosing a PCI compliant hosting company, you want to partner with a business that can
give you room to grow. On-demand resources can be deployed rapidly with a managed cloud
solution, meaning you can easily scale servers up and down as needed.

Managed Services
With a managed hosting provider, you can take advantage of their managed services to ease
the burden on your own IT staff and resources. An investment in managed hosting services
means a trained and professional IT team can perform maintenance and updates, freeing up
your IT staff to focus on developing your core business and applications. Some of the managed
services available when you outsource include:

Patch Management - Ask your potential vendor if they provide OS patch management
as a managed service. Why is patch management important? If your servers arent
updated and managed properly, your CHD and applications are vulnerable to hackers
and all types of malicious attacks against your systems. Your hosting provider should
provide notification of outstanding updates, path installation assistance and offer
different levels of patch management for optimal security.
24/7 Emergency Response - In the event of unauthorized access or a disaster/failure,
your hosting provider should have a responsive, trained support team ready to report
and remediate the issue. The faster a data breach is reported, the more time your
company will have to respond to stop the issue, notify customers, and be on the path to
preventing future breaches.
Proactive Server Monitoring - With a remote server monitoring service, you should be
able to check the status of your servers even if youre not located at the data centers.
Your hosting provider should have a monitoring service that allows you to check your
current disk space or bandwidth usage, and your application, web and database
performance.

If you were to choose to keep your hosting in-house, make sure you realistically have the
resources or budget to accommodate all of the features listed above, including the investment in
capital and hardware. Keeping operations in-house may require training or hiring of new staff to
manage server hardware, storage, virtual servers or data center infrastructure as you work to
implement and achieve PCI DSS compliance with different technologies. One example is
building an offsite disaster recovery solution - some cloud hosting providers could provide a
disaster recovery solution at a significantly lower cost compared to the cost of building it
internally.

Copyright Online Tech 2012. All Rights Reserved. page 24 of 27

6.0. Conclusion
Perform a Total Cost of Ownership (TCO) comparison between your current infrastructure and
what it would cost to make it redundant and PCI compliant with the costs of outsourcing to a PCI
DSS compliant hosting provider. With the right hosting provider that can prove compliance and
fit the needs of your company, you can safely outsource PCI hosting to a fully managed and
audited data center operator.

Partnering with a provider that can implement the proper administrative, technical and physical
security means you can also take advantage of their managed service offerings to save on
internal resources better spent on your core business competencies. Many find that focusing
their IT resources as close to their customer yields favorable outcomes at the bottom line.

However, realizing the benefits of outsourcing requires doing your due diligence to your clients
in the vendor selection process to keep the integrity, confidentiality and availability of CHD
consistent with PCI DSS standards. Extending the responsibilities to a third-party means you
are only as compliant as your weakest link - further emphasizing the need to carefully select
your vendors.

Heres a quick review of what to look for in a PCI DSS compliant hosting provider:

Review a copy of their independent PCI Report on Compliance (ROC) outlining the
scope of their audit and details of the controls in place to protect sensitive data. This is
essential to ensuring their data centers and solutions are operating within compliance.
Ask your PCI hosting provider what type of specific technologies should be
implemented, and a copy of their detailed operating policies and procedures.
Check the dates of your vendors last employee training sessions, and the percent of
total employee completion. As a business associate, your hosting provider should have
an appointed Risk Management and Security Officer that oversees training and ongoing
compliance.
Review the contract carefully to understand both your and the hosting providers
responsibilities, and their roles in protecting CHD from contract start to termination.
Check for a clause specifically related to their breach notification timeline.
Choose data center facilities located in regions with the lowest risk of natural disasters.
Evaluate their power, cooling, and network infrastructures for high availability and
disaster recovery options.
Understand contract provisions relevant to data ownership, data center ownership and
data destruction.

Meet with your potential vendor and verify all of the above are in place and that they are
regularly maintained and monitored. Outsourcing, when done right, can save businesses that
handle cardholder data significant resources and provide a high level of compliance and
service.

Copyright Online Tech 2012. All Rights Reserved. page 25 of 27

7.0. References
7.1.1. Questions to Ask Your PCI Hosting Provider

1. What portions of the 12 PCI standards am I responsible for, which do you cover, and which
are we both responsible for?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

2. Which of the following are including in your hosting packages: firewalls, vulnerability scanning
(technologies and daily review/response), file integrity monitoring (technologies and
review/response)
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

3. What timeframe do you promise clients for breach notification?

____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

4. Who performed your independent PCI audit and do you provide copies of the audit report?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

5. What policies and technologies are used to protect my applications and CHD data?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

6. If disaster strikes, how long will it take before all applications and data are available again?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

7. Do you share a copy of your documented policies and procedures?

____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

8. Are your employees trained to handle CHD and comply with PCI DSS standards?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________

Copyright Online Tech 2012. All Rights Reserved. page 26 of 27

7.2. Data Center Standards Cheat Sheet

SAS 70
The Statement on Auditing Standard No. 70 was the original audit to measure a data centers
financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of
CPAs, there two types:
Type 1 Reports on a company's description of their operational controls
Type 2 Reports on an auditor's opinion on how effective these controls are over a
specified period of time (six months)

SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June
2011. A SSAE 16 audit measures the controls relevant to financial reporting.
Type 1 A data centers description and assertion of controls, as reported by the
company.
Type 2 Auditors test the accuracy of the controls and the implementation and
effectiveness of controls over a specified period of time.

SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report
measures the controls of a data center as relevant to financial reporting. It is essentially the
same as a SSAE 16 audit.

SOC 2
This report and audit is completely different from the previous. SOC 2 measures controls
specifically related to IT and data center service providers. The five controls are security,
availability, processing integrity (ensuring system accuracy, completion and authorization),
confidentiality and privacy. There are two types:
Type 1 A data centers system and suitability of its design of controls, as reported
by the company.
Type 2 Includes everything in Type 1, with the addition of verification of an
auditor's opinion on the operating effectiveness of the controls.

SOC 3
This report includes the auditors opinion of SOC 2 components with an additional seal of
approval to be used on websites and other documents. The report is less detailed and technical
than a SOC 2 report.

HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and
Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient
health data (medical records). When it comes to data centers, a hosting provider needs to meet
HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit
conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA
Security Specialist) can provide a documented report to prove a data center operator has the
proper policies and procedures in place to provide HIPAA hosting solutions. No other audit or
report can provide evidence of full HIPAA compliance. Learn more about HIPAA compliant data
centers in our white paper.

Copyright Online Tech 2012. All Rights Reserved. page 27 of 27