Professional Documents
Culture Documents
page 1 of 27
PCI Compliant Data Centers
1.0. Executive Summary
2.0. Impact of PCI DSS on Data Centers
3.0. What is a PCI Compliant Data Center?
3.1. PCI Compliant Data Center Architecture
3.1.1. Requirements
3.1.2. PCI Audited Data Center Requirements
3.1.2.1. Third Party Independent PCI DSS Audit Report
3.1.2.2. PCI Audited Staff and Documented Security Policies
3.1.2.3. Data Center Security
3.1.2.4. Data Center Portal
3.1.3. High Availability, Secure Network Requirements
3.1.3.1. High Availability, Redundant Firewalls (IDS/IPS)
3.1.3.2. High Availability, Redundant Routers
3.1.3.3. High Availability, Redundant Internet Service Providers
3.1.3.4. Two-Factor Authentication
3.1.3.5. Vulnerability Scanning
3.1.3.6. Web Application Firewall (WAF)
3.1.3.7. SSL Certificate (Web Apps)
3.1.4. Secure Server Environment Requirements
3.1.4.1. Antivirus
3.1.4.2. OS Patch Management
3.1.4.3. File Integrity Monitoring (FIM)
3.1.4.4. Encryption
3.1.4.5. Daily Log Review
3.1.4.6. Backup and Disaster Recovery
3.1.4.7. Penetration Testing
4.0. Outsource vs. In-House
4.1. Benefits of Outsourcing Hosting
4.2. Risks of Outsourcing Hosting
5.0. Vendor Selection Criteria
5.1. PCI DSS Compliant Business Associates
5.2. Other Key Data Center Considerations
6.0. Conclusion
7.0. References
7.1. Questions to Ask Your PCI Hosting Provider
7.2. Data Center Standards Cheat Sheet
Two primary business drivers impact the data center: security and availability. Security
protects cardholder data.The major financial institutions collaborated to define PCI DSS
(Payment Card Industry Data Security Standards) with a minimum set of security
measurements to protect the waterfall of sensitive identity and payment information flowing
through the Internet. Businesses that dont meet the standard are risking steep fines, loss of
credit card processing rights, customer loyalty and legal costs in the event of a breach.
Every company that accepts credit card payments must be PCI compliant. Companies who can
afford to build their own PCI compliant IT infrastructure must invest in the resources to maintain
ongoing diligence with operating system and application security patches, daily log review,
periodic vulnerability scanning, and annual penetration testing. Companies that are not in a
position to build a PCI compliant infrastructure, or maintain the required rigorous daily demands,
look to outsource their IT infrastructure to a partner who has met PCI compliance. A PCI
compliant hosting partner can both relieve the initial CapEx investment and ongoing daily
compliance burdens.
This white paper explores the impact of the PCI DSS standard on data centers and server
infrastructure, describes the technical and contractual architecture of a PCI DSS compliant data
center, and outlines the benefits and risks of data center outsourcing and vendor selection
criteria.
There are 4 merchant levels of PCI compliance based on the number of payment
transactions performed.
While merchants at every level must be compliant with PCI DSS standards, compliance
for Level 1 merchants is the most demanding, and requires an independent audit by a
certified QSA.
In order to meet the 12 PCI DSS requirements, companies should have certain network and
server technology in place to ensure optimal data security and availability. Penetration testing is
required by PCI on an annual basis and after any environmental changes.
If outsourcing, companies should ensure their data and applications are housed in a PCI
audited data center with the following: third party independent PCI audit report; PCI audited staff
and policies; change management and documentation; data center security and data center
portal.
High availability, secure network requirements include high availability, redundant firewalls,
routers and Internet service providers; two-factor VPN access; vulnerability scanning;
penetration testing; web application firewalls and SSL certificates.
A secure server environment requires daily log review, OS (operating system) patch
management, antivirus, file integrity monitoring (FIM), and data encryption. A complete offsite
backup and disaster recovery solution is also required.
1
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
For those entities that outsource storage, processing or transmission of cardholder data
to third-party service providers, the Report on Compliance (ROC) must document the
role of each service provider, clearly identifying which requirements apply to the
assessed entity and which apply to the service provider.2
Be clear that some of the standards you will be exclusively responsible for; some require mutual
effort by your company and the hosting provider; others such as physical security may be the
responsibility of only the hosting provider. Make sure you follow your due diligence to ensure all
controls are appropriately covered between your company and the hosting provider.
All staff should be trained in handling credit cardholder data in a secure manner, as well as
trained on how to maintain the physical and environmental security of a PCI compliant data
center. PCI requirement 12.6 requires organizations to:
Implement a formal security awareness program to make all personnel aware of the
importance of cardholder data security.
2
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Use appropriate facility entry controls to limit and monitor physical access to systems in
the cardholder data environment.
Verify the existence of physical security controls for each computer room, data center,
and other physical areas with systems in the cardholder data environment. Verify that
access is controlled with badge readers or other devices including authorized badges
and lock and key.
Network security should protect sensitive infrastructure (managed dedicated servers, cloud
servers, power and network infrastructure) by restricted access. Data security dictates that, if
outsourcing, your PCI compliant hosting provider should never access credit cardholder data.
Plan or evaluate with the knowledge that its not a matter of if a firewall fails, its when a
firewall fails. Look for every single point of failure in the data center and plan high-availability
redundancies anywhere they exist. For example, the firewalls should be plugged into separate
power strips that are connected to separate power feeds in the data center. If the redundant
firewalls are plugged into a single power strip that blows a fuse, all redundancy is lost.
3
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
PCI requirement 8.3 mandates that organizations must implement two-factor, also known as
dual-factor or multi-factor, authentication for remote access to the network by employees,
administrators, and third parties.
Two-factor authentication significantly protects against weak or stolen passwords and provides
an additional layer of protection. This requires multiple forms of identification for a login, such as
a code and a username/password combination. Biometric login systems may require a
fingerprint along with a code or badge.
For the cloud and web-based applications, dual-authentication systems require a username,
password, and a code that is sent to a mobile device by phone call or text message. Ask your
The PCI requirement 11.2 requires vulnerability scanning as part of the 11.0 requirement to
regularly test security systems and processes:
Run internal and external network vulnerability scans at least quarterly and after any
significant change in the network (such as new system component installations, changes
in network topology, firewall rule modifications and product upgrades).
The scan checks ports open to Internet traffic and vulnerable applications and configurations
within your environment. A few examples include outdated versions of software, web
applications that arent securely coded or misconfigured networks. By testing firewalls and
networks, scanning can pinpoint any weaknesses in your systems security.
4
http://www.duosecurity.com
A Web Application Firewall (WAF) is specifically built to monitor website traffic for the
transmission of sensitive data and potentially block any network traffic that does not fit within the
allowable configuration.
Network firewalls and intrusion detection systems (IDS) cant detect or prevent many application
attacks. A WAF can detect potential application attacks, including SQL injections (database
commands sent through a web application to the backend database these commands can be
deployed to delete or extract data) and other attacks that may not be detected by an IDS.
PCI requirement 6.6 mandates the protection of credit cardholder data by developing and
maintaining secure systems and applications:
PCI allows merchants to choose either a WAF or code review (either manual or automated) to
fulfill the requirement. Code review can be time-consuming, complex and costly, and require the
use of many different tools. A WAF from a hosting provider can be more cost-effective and
easier to manage.
For cardholder data applications that involve a website, security is paramount, and the use of a
WAF makes sense. It is one tool in the security toolbox for consideration.
3.1.4.1. Antivirus
PCI requirement 5.1 specifically requires the deployment of antivirus software on all systems
commonly affected by malicious software (particularly personal computers and servers). 5
We all use antivirus on our laptops, so using this on a server operates under the same premise:
safety and security for critical infrastructure. This is one of the most important elements of
security you can buy for the money for a managed server.
With all the security bulletins, holes, bugs, viruses, and security vulnerabilities announced daily
for operating systems, applications, and databases, a consistent and documented process is
needed to ensure that regular patches safeguards all systems. This may include a collection of
patching tools, processes, and procedures. A unified test, staging, and production environment
to test the patches is critical to assess the impact of patches on the system before it affects
production environments. If you outsource services, make sure you find out who is responsible
for maintaining security patches and the frequency of checking for updates.
5
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
File Integrity Monitoring refers to ensuring the integrity of the files on a server. The basic
technique is the comparison of the current file to the known, safe baseline. While file changes
are expected and within the normal realm of daily interaction and activity, there are a few key
changes that may trigger additional investigation such as a change of ownership, security
settings, or configuration values.
A separate FIM server is required for PCI. There are many third party software applications to
monitor and evaluate file changes and alert administrators of any suspicious activity, but be sure
to clarify who receives and is responsible for the alerts. Most PCI compliant hosting providers
will set up a FIM server, but leave the client to manage, investigate, and remediate alerts and
issues. Make sure you know whats included in the quotes you receive in terms of both the
technology and the daily care and feeding to remain PCI DSS compliant.
6
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
7
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Data at rest are data that may be stored on servers or backup media while not in use. These
data must be encrypted in case of disk drive failure or unauthorized access. Many data
breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - this
data should not be stored on portable devices, but instead in PCI compliant data centers at an
offsite location. That way, thousands of cardholder records arent stored on any of your
computing devices, but instead in a secure location that you can access. This greatly improves
your CHD (cardholder data) security - if you lose the device, you wont lose all of the sensitive
data as well.
Daily log review is a service that analyzes logs, and sends reports of the most important
messages to the organization. These messages provide insight into any abnormalities in the
system network and servers including failed login attempts or other indicators of possible
intrusions.
This service allows the organization to know who accessed which systems and data, and their
activity while logged in. Why is this useful? It provides insight into any data leaks or potential
breaches, and allows you to track activity on your system.
Record at least the following audit trail entries for all system components for each event:
And goes on to list what each event is, including user identification, type of event, date and time,
success or failure indication, etc.
Review logs for all system components at least daily. Log reviews must include those
servers that perform security functions like intrusion-detection system (IDS) and
authentication, authorization, and accounting protocol (AAA) servers (for
example, RADIUS).
Make sure you understand who will perform the daily log review. If you handle this in-house,
make sure that you allocate enough human resources to allow for a thorough review and
response. If you are outsourcing PCI hosting, be sure to clarify up front who is responsible for
reviewing the daily logs and the response process when an issue deserves further investigation
or escalation. Many hosting providers will sell a log monitoring server, but put the burden of
daily log review on their clients.
PCI standard 9.5 requires a data backup plan, disaster recovery plan, emergency mode
operation plan, testing and revision procedures, and application and data criticality analysis.
Offsite data backups are imperative and offsite disaster recovery is strongly recommended.
PCI standard 10.7 also refers to keeping logs of user activity on systems for a certain period of
time:
Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
back-up).
Online payment transactions happen 24x7. Availability means that your critical applications and
data need to be recoverable in the event of a disaster or downtime.
Protecting cardholder data and business availability means putting procedures in place to
mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The
infrastructure to do this is defined by two perspectives:
1. Disaster Prevention - Putting all the tools in place to minimize the probability of an
outage in the data center infrastructure, server hardware, software and network
connectivity.
2. Disaster Recovery - Assuring that the applications and data can be recovered and
restored in a reasonable timeframe to continue running the business and making card-
holder data available if a disaster occurs in the primary data center.
8
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Save on Costs
Why would a merchant with credit cardholder data outsource their hosting solution to a third-
party? If you choose a PCI compliant hosting provider that has already passed a PCI audit by
an independent auditor with PCI security expertise, this can save your company time and
money by eliminating the need to audit your vendor in addition to your own business. While it
does not release you of the obligation and responsibility of meeting compliance, it may help you
achieve compliance faster and at a lower cost.
Additionally, managed hosting allows your IT team to focus on your own business, not on
keeping up with server updates and other issues that may require a stretch of resources.
Security
A PCI compliant hosting provider can provide the latest tested and audited technology to help
achieve compliance and secure your CHD. With a variety of required and recommended
security methods, you can trust experienced, certified professionals to maintain, monitor and
accurately generate logs of activity on your servers.
Outsourcing allows you to benefit from the various levels of security a quality hosting provider
should have in place, including physical security, meaning only authorized personnel have
limited access to your servers, and environmental controls with logged surveillance and multiple
alarm systems to detect any unauthorized access.
Your outsourced hosting provider should never access CHD, but instead build, maintain and
monitor the secure infrastructure your sensitive information is stored and transmitted.
Availability
The use of high-availability (HA) solutions within a fully redundant and compliant data center
can allow clients to increase their uptime and protect CHD availability. Using an HA
infrastructure can reduce the risk of business downtime due to a single point of failure.
Outsourcing to a PCI hosting provider means your business can take advantage of your data
center operators design of power connections, UPS (Uninterruptible Power Supplies) systems,
generators, air conditioning, networks and more.
Flexibility
Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-
generation VMware that dominates the market for applications that require a high degree of
scalability. Choosing a high-performance managed cloud allows for the ability to scale servers
up and down as needed to respond to the demands of end-users with fast deployment time.
Without documented proof of your hosting providers PCI compliance against all 12
requirements, the risk is on your business to ensure that your hosting partner can protect
cardholder data. Remember, its your credit line, customers, reputation, and business at risk, so
be thorough in your evaluation at the outset. Take the time to visit prospective PCI hosting
providers in person. The cost of travelling is a fraction of the cost that a breach or bad vendor
selection will cost you in the long run.
Ask your PCI hosting provider if they can provide a copy of their independent audit report, also
known as a PCI Report on Compliance (ROC), detailing the controls implemented to meet the
12 PCI DSS requirements. Be clear that some of the standards you will be exclusively
responsible for; some require mutual effort by your company and the hosting provider; others
such as physical security may be the responsibility of only the hosting provider. Make sure you
follow your due diligence to ensure all controls are appropriately covered between your
company and the hosting provider.
SAS 70 9 - The Statement on Auditing Standard No. 70 was originally used to measure a
service providers controls related to financial reporting and recordkeeping. Two types
are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a
companys description of their operational controls, while Type 2 includes an auditors
opinion on how effective these controls are over a specified period of time. This audit
standard expired in June 2011 and is no longer current. A hosting provider that still
offers a SAS 70 report is out of date and out of compliance.
http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93Changes
AheadforStandardonServiceOrganizations.aspx
As with any type of audit, only a careful review of each individual compliance report can tell you
the full scope and depth of their applicability. While two PCI DSS audits are more likely to be
consistent than some of the other industry audits such as SSAE 16 (SOC 1), SOC 2, or HIPAA
audit reports, it always pays to read the details for yourself. Any potential vendor should at least
share a copy of their independent PCI DSS audit report under NDA. If they do not, it indicates
either that they have chosen not to invest in an independent PCI DSS audit, or the auditors
opinion was unfavorable.
10
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Repo
rt.aspx
11
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx
12
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc3report.aspx
Insurance policies exist that will mitigate the costs of data breach notification, litigation and
penalties. Its a basic protection every hosting provider and e-commerce company should invest
in.
The Risk Management Officer also conducts employee training to educate and implement the
security policies and procedures that affect the day-to-day operations of their organization.
Employee training is important when it comes to any vendor handling sensitive data, as many
data breaches are a result of human error, or an employee mishandling sensitive data, and not
hacker-related. Ask your hosting provider for the most recent date of their employee policy
training and percent of employees that have completed training during the vendor selection
process.
Another consideration is ownership and operation of the data center(s). Some hosting providers
will provide a service that is run in data centers owned and operated by different companies. In
these cases, an audit of the physical safeguards and some of the technical safeguards must be
performed against yet another company. This can sometimes add significant expense to the
audit process unless the operator can and will provide a copy of their independent PCI DSS
report. If you have no way of knowing who has access to or controls the environment that
houses your servers, let alone their level of compliance, you are putting your customers
cardhold data and your business at risk.
Geographical Location
Hosting facility location is another important consideration, as data centers located in certain
regions are more susceptible to natural disasters, risking the complete destruction of your data.
Choosing a data center located in a neutral, low-risk region such as the Midwest is one step
closer to complete data safety.
Another factor is climate - a region that allows a data center operator to take advantage of
natural cooling for most of the year also allows you, as the client, to take advantage of their
operating cost-savings. It also reduces the risk of overheating and potential hardware failure
that could affect your data availability.
Disaster Recovery
Any e-commerce based business depends on functionality and data being always available.
Preserving the integrity of information means putting formal data backup and recovery plans in
place to ensure data can be accurately and quickly accessed in the event of a disaster or
failure. Location is important when it comes to offsite backup and disaster recovery - a copy of
your CHD in a separate location can preserve the integrity of your information.
Data Destruction
Ask your hosting provider about their technologies and methodologies used to erase sensitive
cardholder data. Electronic media should be wiped or destroyed consistent with NIST standards
outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization, to render
CHD irretrievable.
Ensuring the confidentiality of your sensitive data means knowing where your data goes after
you terminate your contract with your PCI hosting vendor. It also means knowing whether or not
there are any copies of the data leftover after you leave the vendor. If any archived,
unencrypted CHD can be found on backup tapes or servers, you are putting your business at
risk for a breach. Check your PCI hosting providers contract for specific provisions on how they
will handle data after contract termination.
High Availability
A high availability (HA) hosting infrastructure is imperative to ensuring data is always
accessible. HA solutions increase uptime and availability and lower risks. Its not a matter of if
something fails, its planning for when failures happen - and they will. In your evaluation of any
data center - yours or a third-party - endeavor to identify all of the single points of failure. Its
worth an outside opinion if reviewing your own data center (nothing beats an independent pair
of eyes) and when visiting a potential data center hosting company - ask the hard questions
whenever you suspect complete redundancy is not in place.
With HA protection in place, providers can hedge against the loss of electrical power, network
connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of
mind knowing CHD is protected, available, and safe.
A managed PCI hosting solution, including a managed cloud, takes into account several design
factors to ensure no single points of failure exist. This is true for the data center infrastructure
layer components, as well as the individual servers and components in the rack.
Power connections - Dual independent power feeds are run from disparate circuit breakers, to
two separate power supplies in the server. Each power supply on a server is plugged into
separate power strips in the rack. Power strips with digital amp load current readouts aid in
monitoring power levels and help avoid tripping a circuit breaker, which would shut down the
entire power strip.
UPS systems - Uninterruptable Power Supplies (UPS) pooled N+1 batteries clean and
distribute power and provide backup power through a bank of batteries in the event of a power
outage. The clean power from the UPS is stable; therefore, any fluctuation in power, both power
surge and brown-out, is regulated by the UPS.
Generators - Each UPS is fed with one or more power feeds from the utility company. The
utility power feed is wed to two generators that run on either diesel or natural gas. If utility power
is lost, the UPS maintain stable power to the racks while the generators start and provide
backup power. Fuel supply contracts must be in place from several vendors, and fuel delivery
SLAs must be in place.
Air conditioning N+1 redundant cooling is in place with environmental monitoring, and
scheduled maintenance plans to ensure the data center climate remains in the safe zone.
Network connections, switch and firewalls - The network connectivity in a managed cloud is
designed to replicate the same redundancy as the power distribution so the network and
Internet connectivity offer no single source of failure. Each server in the cloud should have at
least two separate Network Interface Cards (NICs) that allow the server to connect to the
redundant HA network infrastructure. Each NIC in the server is connected to different network
switches, which disperse the network connectivity to all servers contained within the cloud.
Each network connection is connected to a pair of redundant firewalls, which protects traffic on
each segment of the network from intruders and security threats. Additionally, each firewall
connection is connected to separate Cisco routers and network access switches. These routers
are then connected to multiple Internet Service Providers (ISPs) to provide diverse network
paths to and from the Internet.
Server and storage devices A high performance managed cloud relies on topnotch
technology for server hosts and SAN storage. Virtualization technologies like VMware (in its fifth
generation) dominate the market for applications that require a high degree of resiliency,
security, and scalability. The ability to scale up and down servers as needed also introduces
flexibility into the managed cloud architecture, so that clients can be responsive to the needs of
their end-users.
VMware backed by name-brand SAN and server technology create the server and storage
platforms necessary to deliver highly available cloud solutions. Regardless of which brand of
hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in
the event of a hardware failure, keeping critical systems online in the cloud.
And finally, SANs with multiple redundant controllers and high-speed RAID disk systems are
designed to meet the performance and availability needs of virtualized environments. Todays
Room to Grow
When choosing a PCI compliant hosting company, you want to partner with a business that can
give you room to grow. On-demand resources can be deployed rapidly with a managed cloud
solution, meaning you can easily scale servers up and down as needed.
Managed Services
With a managed hosting provider, you can take advantage of their managed services to ease
the burden on your own IT staff and resources. An investment in managed hosting services
means a trained and professional IT team can perform maintenance and updates, freeing up
your IT staff to focus on developing your core business and applications. Some of the managed
services available when you outsource include:
Patch Management - Ask your potential vendor if they provide OS patch management
as a managed service. Why is patch management important? If your servers arent
updated and managed properly, your CHD and applications are vulnerable to hackers
and all types of malicious attacks against your systems. Your hosting provider should
provide notification of outstanding updates, path installation assistance and offer
different levels of patch management for optimal security.
24/7 Emergency Response - In the event of unauthorized access or a disaster/failure,
your hosting provider should have a responsive, trained support team ready to report
and remediate the issue. The faster a data breach is reported, the more time your
company will have to respond to stop the issue, notify customers, and be on the path to
preventing future breaches.
Proactive Server Monitoring - With a remote server monitoring service, you should be
able to check the status of your servers even if youre not located at the data centers.
Your hosting provider should have a monitoring service that allows you to check your
current disk space or bandwidth usage, and your application, web and database
performance.
If you were to choose to keep your hosting in-house, make sure you realistically have the
resources or budget to accommodate all of the features listed above, including the investment in
capital and hardware. Keeping operations in-house may require training or hiring of new staff to
manage server hardware, storage, virtual servers or data center infrastructure as you work to
implement and achieve PCI DSS compliance with different technologies. One example is
building an offsite disaster recovery solution - some cloud hosting providers could provide a
disaster recovery solution at a significantly lower cost compared to the cost of building it
internally.
Partnering with a provider that can implement the proper administrative, technical and physical
security means you can also take advantage of their managed service offerings to save on
internal resources better spent on your core business competencies. Many find that focusing
their IT resources as close to their customer yields favorable outcomes at the bottom line.
However, realizing the benefits of outsourcing requires doing your due diligence to your clients
in the vendor selection process to keep the integrity, confidentiality and availability of CHD
consistent with PCI DSS standards. Extending the responsibilities to a third-party means you
are only as compliant as your weakest link - further emphasizing the need to carefully select
your vendors.
Heres a quick review of what to look for in a PCI DSS compliant hosting provider:
Review a copy of their independent PCI Report on Compliance (ROC) outlining the
scope of their audit and details of the controls in place to protect sensitive data. This is
essential to ensuring their data centers and solutions are operating within compliance.
Ask your PCI hosting provider what type of specific technologies should be
implemented, and a copy of their detailed operating policies and procedures.
Check the dates of your vendors last employee training sessions, and the percent of
total employee completion. As a business associate, your hosting provider should have
an appointed Risk Management and Security Officer that oversees training and ongoing
compliance.
Review the contract carefully to understand both your and the hosting providers
responsibilities, and their roles in protecting CHD from contract start to termination.
Check for a clause specifically related to their breach notification timeline.
Choose data center facilities located in regions with the lowest risk of natural disasters.
Evaluate their power, cooling, and network infrastructures for high availability and
disaster recovery options.
Understand contract provisions relevant to data ownership, data center ownership and
data destruction.
Meet with your potential vendor and verify all of the above are in place and that they are
regularly maintained and monitored. Outsourcing, when done right, can save businesses that
handle cardholder data significant resources and provide a high level of compliance and
service.
1. What portions of the 12 PCI standards am I responsible for, which do you cover, and which
are we both responsible for?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
2. Which of the following are including in your hosting packages: firewalls, vulnerability scanning
(technologies and daily review/response), file integrity monitoring (technologies and
review/response)
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
4. Who performed your independent PCI audit and do you provide copies of the audit report?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
5. What policies and technologies are used to protect my applications and CHD data?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
6. If disaster strikes, how long will it take before all applications and data are available again?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
8. Are your employees trained to handle CHD and comply with PCI DSS standards?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
SAS 70
The Statement on Auditing Standard No. 70 was the original audit to measure a data centers
financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of
CPAs, there two types:
Type 1 Reports on a company's description of their operational controls
Type 2 Reports on an auditor's opinion on how effective these controls are over a
specified period of time (six months)
SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June
2011. A SSAE 16 audit measures the controls relevant to financial reporting.
Type 1 A data centers description and assertion of controls, as reported by the
company.
Type 2 Auditors test the accuracy of the controls and the implementation and
effectiveness of controls over a specified period of time.
SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report
measures the controls of a data center as relevant to financial reporting. It is essentially the
same as a SSAE 16 audit.
SOC 2
This report and audit is completely different from the previous. SOC 2 measures controls
specifically related to IT and data center service providers. The five controls are security,
availability, processing integrity (ensuring system accuracy, completion and authorization),
confidentiality and privacy. There are two types:
Type 1 A data centers system and suitability of its design of controls, as reported
by the company.
Type 2 Includes everything in Type 1, with the addition of verification of an
auditor's opinion on the operating effectiveness of the controls.
SOC 3
This report includes the auditors opinion of SOC 2 components with an additional seal of
approval to be used on websites and other documents. The report is less detailed and technical
than a SOC 2 report.
HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and
Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient
health data (medical records). When it comes to data centers, a hosting provider needs to meet
HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit
conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA
Security Specialist) can provide a documented report to prove a data center operator has the
proper policies and procedures in place to provide HIPAA hosting solutions. No other audit or
report can provide evidence of full HIPAA compliance. Learn more about HIPAA compliant data
centers in our white paper.