There is no question that security and compliance are top priorities for the financial industry when it comes to hosting their critical IT infrastructure. And yet, according to a survey by 451 Research, 55 percent of enterprises stated that security and compliance issues surrounding hybrid IT were the primary factors inhibiting adoption. So what can banks and other financial institutions do to change this? They can start by finding a colocation provider that has top security measures in place and is PCI DSS compliant.
Any company that accepts credit card payments must be PCI compliant. Companies who can afford the extensive capital outlay to build their own PCI compliant IT infrastructure must invest in the resources to maintain constant and ongoing diligence with patches to all operating systems and applications, daily review of log files, periodic vulnerability scanning, and annual penetration testing.
On the other hand, most companies are not in a position to build a PCI compliant data center facility, or maintain the rigorous daily demands required to meet PCI compliance. They instead look to outsource their IT infrastructure to a partner who has met PCI compliance, and can relieve the initial CapEx investment and ongoing daily compliance burdens.
What is PCI DSS Compliance and Who Does It Apply to?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that were designed to encourage and enhance cardholder data security and facilitate consistent data security measures globally. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 2006 to manage the ongoing evolutions of PCI security standards. The council continues to focus was on improving payment account security throughout the transaction process.
The PCI DSS is administrated and managed by the PCI SSC. It is important to understand that the payment brands are responsible for enforcing compliance, not the PCI council. According to the Data Security Standard, PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional, and sector laws and regulations.
Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not replace local or regional laws, government regulations, or other legal requirements.
Do PCI Rules and Requirements Apply to you?
The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data and/or sensitive authentication data. This includes merchants, processors, acquirers, issuers, and service providers.
Cardholder data and sensitive authentication data are defined as:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data:
- Full track data (magnetic-strip data or equivalent on a chip)
- PINs/PIN blocks
Additionally, organizations that outsource their cardholder data environment or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements. Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment.
What to Look for In a PCI DSS Compliant Colocation Provider
Running your financial organization typically leaves little time and money to also operate, own, and maintain compliant data centers. That is why many outsource to a compliant colocation facility, like LightEdge. Finding the wrong compliant colocation provider could result in a breach of credit card information, loss of reputation, and hefty fines.
When considering a PCI DSS compliant hosting provider, your financial organization should look for and ask the important questions to ensure you receive world-class storage security. Here are a couple of key factors to look for and important questions to ask your next PCI DSS compliant colocation provider.
Data Center Security Measures
When vetting out PCI DSS compliant data center providers, look at their security approach. It should include the following three areas:
- Physical Security: Layering security through the physical infrastructure of a data center is the first step towards complete peace-of-mind when storing your servers and data. Your colocation provider should never compromise on the latest and greatest measures to strengthen its infrastructure. From the hardened shell to access control systems and surveillance, the physical security of a data center should be top of the line and include the following:
- Secure location
- Limited entry points
- Environmental Security: A data center that is designed with the most-up-to date security technology features will help to reduce risk from the inside out. When it comes to your mission critical infrastructure, security technology should be top of mind. Here are a couple things to look for in your data center colocation provider’s environmental security:
- Multi–factor authentication (badges, fingerprint and facial recognition, pin codes, keys)
- Secure check-in process
- Surveillance monitoring systems
- Live support staff
- Network Security: Network security is an integration of multiple layers of defenses in the network. While there are many different types of network protections, common ones include:
- Virtual Private Network (VPN)
- Data Loss Prevention (DLP)
- Network Segmentation
- Antivirus Software
In addition to the different layers of data center security, it is important to find out what compliance and security experts you will gain from your colocation partnership. Security and compliance are a full-time jobs to stay educated on and maintain best practices across an organization. Your colocation provider should have designated PCI compliance experts who are responsible for maintaining PCI DSS standards, as well as, any other compliance regulations that impact your industry or that of your clients.
Chief Compliance Officers and CISOs may find themselves dealing not only with the impact of new laws, but with data privacy issues, IT failures, and crisis management. Your hosting provider’s compliance experts need to prevent and detect misconduct, while navigating the always-changing regulatory landscape.
LightEdge’s security and compliance professional services simplify the process of improving your security posture, by helping you determine which security controls are required to mitigate your identified risks and improve collaboration and communication during security event mitigation and incident response between your business and LightEdge.
Regular Monitoring Schedule and Network Tests
Tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems, and processes is critical. Your colocation provider should have a plan in place that tracks and monitors all access to network resources and cardholder data. Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting, or minimizing a data breach. The availability of logs enables tracking, alerting, and analysis when an intrusion occurs. It is almost impossible to identify and diagnose a breach without system logs.
Your provider should also regularly test their security systems and processes. System vulnerabilities are constantly being discovered and as such, all systems, processes, and software should be tested. Ask your potential provider about their monitoring schedule and network tests to gage the level of security in place.
Private Cloud Offerings
Do the service providers you are vetting offer private cloud solutions? When handling cardholder data, a safe cloud environment is paramount. In some cases, this is best achieved through a private cloud. At a rate of 73 percent of all investigated breaches at SecurityMetrics, noncompliance with PCI requirement 10 “Implement Logging and Log Monitoring” was the issue most frequently associated with a data breach. A PCI DSS compliant private cloud solution could fix this problem. In addition to labor and hardware savings, cloud hosting providers have increased security across entire financial enterprises.
A hosting provider should remove the risk of large shared clouds, while taking advantage of the economic and scalability benefits of virtualization. The customization of a private cloud solution must come with the storage, compute, and infrastructure your healthcare organization needs.
A private cloud solution should include highly secure, highly available, dedicated servers that can offer protection from security threats, such as hyperjacking and DDoS attacks. Private cloud solutions offer high security and customization. It is a reliable and efficient service that lacks the concerns of a shared server.
LightEdge provides two different private cloud solutions, Virtual Private Cloud and Dedicated Private Cloud. LightEdge’s Virtual Private Cloud powered by VMware takes advantage of the cost-effective multi-tenant model for infrastructure and virtualization, while maintaining business-critical performance and top security. Our VPC is redundant by default and can be provisioned by you or LightEdge’s experienced engineers.
LightEdge Dedicated Private Cloud (DPC) offers a single-tenant environment with the highest level of performance, control and security at a predictable monthly price. DPC provides physically discrete and highly available compute, storage and network resources uniquely configured to your unique requirements. You retain full control of your server while gaining the flexibility of virtualization, ideal for mission-critical applications and compliance standards.
Colocation and Protecting Data Through PCI DSS
Reinforcing a financial organization’s security posture, colocation provides the opportunity to standardize business decisions and determine the optimal place for data to reside. The challenge with that is the added complexity of safeguarding data as it crosses colocation, public cloud, and private cloud environments.
A critical step in secure and compliant colocation practices is to first conduct a comprehensive security and governance audit. Such an audit should include an evaluation of all data security policies, user privileges, and compliance regulations (when applicable). Not performing this level of due diligence prior to moving your IT infrastructure to a secure colocation facility could have costly repercussions. Thankfully, third-party colocation providers can offer a broad range of managed services.
Best Practices for Implementing PCI DSS into Your Daily Operations
PCI Security Standards offer up examples on how to implement PCI DSS into a business-as-usual process. This enables your organization and your colocation provider to monitor the effectiveness of their security controls on an ongoing basis. Here is a list of examples recommended by PCI Security Standards:
- Monitor security controls
- Ensure that all failures in security controls are detected and responded to in a timely manner
- Preview changes to the environment prior to completion of the change
- If there are changes to the organizational structure, for example an acquisition, should result in a formal review of the impact to PCI DSS scope and requirements
- Perform periodic reviews and communication to confirm that PCI DSS requirements continue to be in places and employees are following secure processes
- Review hardware and software technology at least annually to confirm that they continue to be supported by the vendor and can meet security requirements
LightEdge has the Best of Both Worlds with PCI Compliant Colocation
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
With geographically-dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.