iPage Hosting

Web Hosting Article

What does it mean for a data center to be PCI Compliant?

Submitted By: Nathan Hatch, CEO, C7 Data Centers | Category: General Information | Total Views: 3794 | Word Count: 791

Published on May 10, 2010, read more web hosting articles here.

It is often that potential customers will ask a data center if they are PCI Compliant. There has been some confusion surrounding the answer to this question as the data center provider typically doesn't have anything to do with their customer's sensitive information handling procedures. So to clarify what the data center is responsible for in regards to PCI Compliance, and what the merchant or service provider is responsible for, let's take a look at what PCI Compliance means.
PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the way your business handles information to the PCI DSS standard.
For a company (service provider or merchant) that is hosted in a data center to be PCI Compliant, they must restrict their information handling procedures to the PCI DSS requirements, and have an attestation of that compliance.
These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.
The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which SAQ is appropriate for your company.
A data center provides the facility for companies and merchants to conduct their business. In that capacity, the data center provider has specific responsibilities that have to be PCI Compliant. A merchant or company that is located within a PCI Compliant data center is not then PCI Compliant, each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance.
Data centers are only required to fill out the portions of the SAQ self-assessment that apply, and to provide a 'Not Applicable' or 'Compensating Control Used' explanation in the Appendix of the SAQ.
In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:
The questions for Requirements 9.1-9.4 only need to be answered for facilities with 'sensitive areas' as defined here. 'Sensitive areas' refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”
The following questions are the specific listed Requirements 9.1-9.4 for data centers:
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?
9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?
9.4.b Are the visitor's name, the firm represented, and the employee authorizing physical access documented on the log?
9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
The responsibilities for merchants and companies located in a data center that process sensitive information, per the SAQ Validation, are summarized as follows:
Build and Maintain a Secure Network
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
A. Protect stored cardholder data
B. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
A. Use and regularly update anti-virus software of programs
B. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
A. Restrict access to cardholder data by business need-to-know
B. Assign a unique ID to each person with computer access
C. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes
Maintain an Information Security Policy
A. Maintain a policy that addresses information security for employees and contractors
Additional PCI DSS Requirements for Shared Hosting Providers
A. Shared hosting providers must protect cardholder data environment

Understanding who does what with PCI Compliance will ensure that the sensitive information processing abides by industry standards.

About the Author
Nathan Hatch is the CEO of C7 Data Centers, a colocation data center provider.

Articles You May Be Interested In

Dedicated Servers Demystified
A dedicated server, simply put, is a single server that is used for a single website. When you purchase a typical plan from a web hosting company, what you are actually doing for the most part is purchasing space on one of their servers...

Website Development, a full-fledged industry with focus
The website developers no more function into on the sidelines of the major industrial segments in an economy. Their business and services now constitute an industry of their own aimed at providing specialized services to various businesses.

Beware of Domain Slammers
If you own a domain, watch out for sleazy domain slammers. They send out domain renewal letters that LOOK LIKE A BILL to renew your domain, but it is actually a Domain Transfer Request. Be alert, be aware, and don't fall for it!

SSL Reseller: VeriSign, GeoTrust, Thawte, RapidSSL
This article contains information about SSL reseller program. CLICKSSL Reseller program is specially developed for online SSL certificate reselling.

What are the Benefits of vCloud Director?
For businesses looking to have more autonomy and control over their virtual infrastructure without relying on the cloud service provider (CSP) to perform the majority of the tasks, VMware’s vCloud Director (vCD) is the right platform management tool

eHostInfo Sponsors

Lunarpages Internet Solutions

iPage Hosting


We are a professional review site that receives compensation from the companies whose products we review. We tested and reviewed the web hosting sites ranked here. We are independently owned and the opinions expressed here are our own.