PCI Colocation Compliance Requirements In A Data Center
As of 2012, online companies accepting credit card payments must meet the PCI DSS (Payment Card Industry Data Security Standard). PCI DSS requires all companies that process, store, or transmit credit card information to have a secure environment. PCI DSS merchants is defined as any entity that accepts payment cards using the logos of any of the five members of PCI SSC ((American Express, Discover, JCB (Japanese Credit Bureau), MasterCard or Visa)) for payment for goods, transactions and/or services. A merchant that accepts payment cards as payment for goods, transaction and/or services can also be a service provider if your services result in storing, processing, or transmitting card holder data on behalf of other merchants or service providers. Some of the companies that are required to be compliant are:
- Banks and financial institutions
- Educational institutions
- Technology companies
- Hotels and restaurants
- Insurance companies
- Post offices
- And many more!
DataCenterAndColocation is a Data Center and Colocation site consultancy that can help your organization select a data center that meets or exceed the PCI DSS standard. PCI compliance ensures that client data is encoded and transferred in a secure manner. With data integrity being an important undertaking for most businesses, especially those with sensitive business information, a PCI compliant data center guarantees that data remains secure and can only be accessed by company personnel. DataCenterAndColocation will work with the data center and colocation vendors on your behalf based on your requirements.
PCI Compliance Responsibilities
Let’s take a look in more detail of the PCI Compliance responsibilities for merchants and companies located in a data center:
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect card holder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect card holders Data
- Protect stored card holder data
- Encrypt transmission of card holder data across open, public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software of programs
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to card holder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to card holder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and card holder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
And there are more requirements depending if your organization needs to meet the new replacement for SAS 70, SSAE 16 (Statement on Standards for Attestation Engagements No. 16) and ISAE 3402 (International Standard on Assurance Engagements).
DataCenterAndColocation will work with you and your organization to find a data center which will facilitate your requirements and help you reach PCI DSS compliance in as little time as possible, minimizing risk of delays – and costs.
What Are The Penalties For Noncompliance?
The payment companies may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. A bank will also most likely terminate your relationship or increase transaction fees which can be catastrophic to a business. It is important to be familiar with your merchant account agreement, which should outline your exposure for compliance violations.
What Do Data Centers With Managed Services For PCI DSS Compliance Offer Which Is Difficult For An In-house Data Center?
Here are just a few examples:
- Host your application in a PCI DSS compliant data center as pure colocation or managed colocation with a clear service level agreement.
- Help you with gap analysis and map out what you need to do to comply with PCI DSS.
- Prepare a detailed list of tasks and responsibilities, a timeline, and a project plan.
- Design the day-to-day, monthly, and quarterly processes you’ll need, and prepare the process documents.
- Build the network and servers so that they meet the standard, then work with your PCI DSS QSA to get the solution signed-off as compliant.
- Manage ongoing compliance to agreed service levels and manage the ongoing compliance for you such as monitoring the system 24/7 and running quarterly compliance checks.
- When you outsource your data and/or application hosting to a PCI hosting provider to protect your cardholder data, you need to test the following requirements and sub-requirements that directly reference and apply to working with a service provider.
- Maintain a list of service providers. Keep a current list of vendors and update it whenever you sign with a new provider or end a contract. This can help you keep tabs on your service providers’ audit record for verification of ongoing compliance.
- Maintain a written agreement with acknowledgement that service providers are responsible for the security of any cardholder data they possess.
- Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement. A PCI compliant data center’s audit report show you the full scope of compliance and to helps you to assess what your company still needs to cover for your own compliance.
- Maintain a way to monitor service provider’s PCI compliance status at least once a year. A data center’s managed services works with you to test the compliance as many times as your organization requires.
DataCenterAndColocation is a Data Center and Colocation consultancy that can help your organization select a vendor with managed services to help meet or exceed the PCI DSS standard and provide continually tested security for financial transactions and to process, store, or transmit credit card information. www.DataCenterAndColocation.com, is one of the largest colocation site consulting firms in the United States. They represent approximately 3000 data centers and colocation centers. At no cost to clients, they identify specific space, location, power and security requirements, solicit proposals, professionally analyze the responses, compare the strengths and weaknesses, negotiate pricing and deliver highly competitive bids for colocation. They also perform comparative analysis for in-house vs. design build services, wholesale data center space and data connectivity.