Results 1 to 16 of 16

Thread: PCI Compliance

Hybrid View

  1. #1

    PCI Compliance

    I'm wondering if anyone is hearing rumblings on whether or not data centers themselves will be subject to PCI Compliance. Not hosting or managed services companies, but the actual co-location providers/data centers themselves.

    Is this something which is relevent when making a decision on where to be?

  2. #2
    Join Date
    Aug 2003
    Location
    Richmond, BC
    Posts
    196
    I'm not sure about PCI Compliance, but I have seen several strive towards SAS70.... I believe they have many similar touch points.

  3. #3
    Join Date
    Apr 2007
    Posts
    3,531
    I think data centres are always looking for ways to be one above their competitors.

    The company I work for has actually gone through PCI compliance within the past year, however most are spending time on the more complex and appropriate SAS70 etc...

    PCI does appear to be something that end users are interested in, and many are look at this for their own sites.
    BotWars.io - Code the AI of your Battle Bot!

  4. #4
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,957
    In the PCI guidelines the data center itself really has NOTHING to do with it. The concerns are the security of the data, so yes, security of the data center has something to do with it, but the network, software, etc. is significantly more important. Basically ANY data center would meet the requirements for PCI compliance, and imho, only the ones marketing at people who don't know what they're doing are worried about PCI certifications, etc. on the data center level.
    Karl Zimmerman - Founder & CEO of Steadfast
    VMware Virtual Data Center Platform

    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation

  5. #5
    I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

    It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.

  6. #6
    Quote Originally Posted by ColoJS View Post
    I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

    It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.
    Interesting, that we were having this same conversation within our company, you can ask 5 different people about PCI within the data center and get 6 different opinions...lol

    I have heard that it is the customer within the DC that is looked on to be PCI compliant. I have also heard that SAS 70, ISO 27000, or Hippa are other certification/compliance areas that are more important for a data center than PCI.
    NationalNet
    Hosting. Handled.

    Managed Hosting | Dedicated Hosting | Atlanta Colocation
    sales@nationalnet.com
    | 888-4-NATNET | www.nationalnet.com

  7. #7
    Join Date
    Apr 2006
    Location
    Phoenix
    Posts
    808
    Jordan Jacobs | VP, Products|SingleHop| JJ @SingleHop.com
    Managed Dedicated Servers | Bare-Metal Servers | Cloud Services

  8. #8

    Thank you, very helpfull article

    Thank you JordanJ, I've looked at this site before, but looks like I've missed that page. And yes, in our company everybody had their own opinion about DC compliance with PCI requirements.
    I hope that this article will help to many hosters.
    Professional Streaming services - http://www.tulix.com - info at tulix.com
    Double optimized - AS36820) network, best for live streaming/VoIP/gaming
    The best quality network - AS7219

  9. #9
    Join Date
    Mar 2010
    Location
    NJ, USA
    Posts
    12
    Agreed, PCI really focuses on the security of the data, firewalls, etc that are typically maintained by the client in a colocation scenario.

  10. #10
    Hate to bump an old thread but...

    I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

    So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

    Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

    I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

    Thanks!

  11. #11
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,957
    Quote Originally Posted by lostmind View Post
    Hate to bump an old thread but...

    I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

    So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

    Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

    I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

    Thanks!
    Wouldn't you only need a log of those with access to your equipment, not to the facility as a whole? If you have your own cage, or even your own cabinet, that shouldn't be too complicated. If you're in a facility that is unwilling to work with you to provide an access log to your own equipment and you need that, then find a new facility.

    On our own side, we have several customers for which we individually log access based on their own requirements for SAS70 and/or PCI compliance purposes. It is easy enough with a simple sign-in/out sheet on each cabinet and can then be confirmed with video.

    To note, from that questionnaire it seems it is just saying logging must be done and have some auditing, it doesn't say you yourself have to do it, it could be done by the data center itself, unless I'm missing something, that is how I'm reading it.
    Karl Zimmerman - Founder & CEO of Steadfast
    VMware Virtual Data Center Platform

    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation

  12. #12
    Join Date
    Apr 2010
    Posts
    493
    The two things that the colo normally needs to do is log access and keep camera footage for so long (90 days if memory serves). I was putting a client into a L3 facility and the access logs were not a problem but the lack of row level cameras was. The PCI auditors were happy with us adding cameras to the cage. I had another client that added cameras and a security system to there single rack and the auditors were happy. There is nothing that a colo needs to do that you can not implement at a rack, cage or suite level. I second that colo's decision to not hand out logs of everybody that accessed the facility, if data has been stolen a crime has been committed the cops can get the proper paperwork and they have covered themselves you should not be handing that over to your clients just for asking. I know L3, ATT and MCI will all give me a list of visitors to my spaces but not the facility as a whole.

  13. #13
    The few colo facilities I've spoken to, do not want us to bring camera's into their facilities, let alone setup our own cams in our private cage's.

    It seems that without the access logs & such, we can not be pci compliant. I too think handing out the logs upon request is a problem but this seems to be required to be pci compliant.

  14. #14
    Join Date
    Mar 2010
    Location
    NJ, USA
    Posts
    12
    Well said Karl.

    At our data centers, typically to maintain compliance a client will have either a private cage or a locking cabinet with an electronic keypad lock. We provide clients with access logs to their private cage, or for anyone on their access list who accesses the data center.

    We do not however provide anyone with full data center access logs, for obvious security/privacy concerns.

  15. #15
    Karl, bferri - our current colo providers will not implement this for us.

    We may not use a 3rd party lock on our cage/cab's as their staff must always have access, we can't implement our own camera system (nor bring a camera into the facilities at all), they won't guarantee compliance with a sign in sheet on our cage... We aren't with some bottom of the barrel super cheap facility either...

    This is the only issue really causing a problem for us.

    Well, this and clients that don't want to pay any more each month to be pci compliant... but that's a different story...

  16. #16
    Join Date
    Nov 2009
    Location
    Reston
    Posts
    305
    PCI Compliance, as well as HIPPA compliance, should be something that the individuals that own the hardware should be concerned about since they are the ones responsible for protecting the information. I'm not sure how much value it would add for any data center to gain these types of compliance, since ultimately they are not responsible for the integrity of the data on the machines?
    Dan Buyer
    InfoRelay - Connected, Protected, Perfected.
    Equinix LAX & DC, One Wilshire, Wilshire Annex, MPT, VE, 1275K, Reston Exchange, Reston Equinix, 60 Hudson, NYC, and Chicago
    www.inforelay.com

Similar Threads

  1. PCI Compliance
    By Reaperwebdesign in forum Web Hosting
    Replies: 34
    Last Post: 08-28-2009, 05:24 PM
  2. PCI Compliance- Is anyone even doing it?
    By KatzenJammer in forum Ecommerce Hosting & Discussion
    Replies: 39
    Last Post: 06-10-2009, 01:25 PM
  3. PCI Compliance
    By Janegirl in forum Ecommerce Hosting & Discussion
    Replies: 6
    Last Post: 11-26-2006, 02:17 PM
  4. PCI compliance
    By alosito in forum Web Hosting
    Replies: 7
    Last Post: 08-23-2006, 10:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •