Before I discuss international information security standards of PCI compliant, I would like to share the importance of possessing international security certifications briefly. These certifications are essential for IT vendors offering data storage and hosting services. Certification allows them to maintain their reputation and legitimate rights to work as a vendor.
What is PCI DSS?
Among these certifications, Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, which authorises vendors across the world for the risk-free handling of credit cards and online monetary transactions. This worldwide information security standard is established by the Payment Card Industry Security Standards Council. The primary aim of placing these standards is to reduce frauds or misuse of sensitive information. Entrepreneurs who are receiving and making online payments fulfill the PCI policies and procedures to ensure handling of information according to the standards.
Why do data centers need to meet PCI compliance?
Though data centers have nothing to do with the procedures for handling sensitive information; their customers are using for receiving online payments. They have to fulfill the compliance to become a PCI compliant data center. For a secure and reliable data hosting facility, maintaining a tight security is more than securing a facility with locked doors. It about executing international standards and compliance to maintain and manage privacy and security of sensitive customer information stored on the servers.
Datacenter facilities possess server machines for third-party file storage. Their responsibility is to offer a secure, scalable and accessible warehouse with continuous cooling and power supply to minimize the downtime duration. In addition to executing hardware and software requirements, hosting companies have to obtain industry certification and meet the compliance and policies.
This is why hosting service providers have to fulfill the PCI compliance, procedures and policies to become an authorised vendor for offering hosting services for merchants and vendors dealing with sensitive credit card information of their clients.
Compliant is equally vital for the merchants and organisations using PCI certified data centers. To become a PCI accredited vendor they have to show the details and procedures they are using for handling sensitive information. This is necessary to obtain an attestation of compliance.
What are the fundamental questions a data storage facility should ask before applying for PCI certification?
With an aim to facilitate vendors to understand the standards and prerequisites better to obtain PCI Compliant certification successfully; here I am sharing few critical questions from PCI DSS New Self-Assessment Questionnaire (SAQ) hosting service providers must answer to conduct a successful self-assessment.
- Does your facility possess appropriate entry controls to limit and monitor physical access to the systems storing cardholder information?
- Do you install video-cameras or access-control mechanism to oversee ease to access sensitive areas in the facility physically?
- Do your staff collect, review and correlate records from videos and other entries?
- How long do you maintain a data backup for recorded videos? Official duration to retain video records is three months.
- Have you made satisfactory arrangements to restrict physical access to the network, gateways, wireless access points and handheld devices?
- Do the protocols/procedures are capable of identifying between employees and visitors? Specifically at points where cardholders are accessible?
- Does your facility follow the standard protocol to handle all visitors? Standard procedure to authorize visitors before entering in cardholder data storage consists of following conditions like:
Distributing physical tokens like badges or access devices with pre-defined expiry to distinguish visitors from non-employees. Also, asking visitors to submit token upon expiration and before leaving the facility.
- Do you maintain a log of visitors to review and track visitor activities? Visitor log should carry relevant information about visitors like their name, company name and name of the employee who has authorised physical access to a particular visitor. Again this log must be retained minimum for three months.
Endnote: Executing security standards to become a PCI compliant data center is a primary goal of hosting service providers across the world. This certification enables them to prove their capacity to provide a secure data storage for companies handling regular credit card payments and transactions.