OVH.co.uk are offering a service that would probably suit my needs but has anyone been able to achieve PCI DSS compliance with them?
Dropped an email to them early this morning customersupport [at] ovh.co.uk but no reply today to my PCI question. I dropped a mail to i3d.net too asking they were compliant no replay after 3 or 4 days. (I'm not looking to host a game server). I could pick up the phone but I thought this would a) give me notice in writing that it is possible b) indicate the level of service I might expect in future.
Anything under my control I can sort out but need to know more. No reply puts me off a lot obviously but any experience in the field with these two? I'll post any official response if anything arrives, it is a big deal for many I think.
Last edited by Crontabulous; 05-17-2011 at 05:00 PM.
i remember your request/mail send to us as our sales talked to management regarding the PCI DDS compliance.
Our reply was we, as i3D, are fully compliant to the requirements set, but have never pursued official accridation. However, many of our colocation and dedicated server clients did and we fully cooperate with setup, assessment and beyond. I will have an account manager follow up with you.
However, we do have other accridations with 6 month audits:
i3D achieved CDSA accreditation in the content protection and security program. This accreditation is based on a number of audits of the physical infrastructure and all software layers. i3D's datacenter SmartDC and i3D tier 2 locations were subject to the audit process. Our services are in accordance with content protection and security standards and procedures.
About Interactive 3D:
Interactive 3D (i3D.net) is a large hosting provider operating 3500 servers in Rotterdam (Netherlands), Frankfurt (Germany), Paris (France), London (UK), Tokyo (Japan), Sydney (Australia) and the United States. i3D is specialized in managed worldwide hosting services for the digital entertainment industry. Among i3Ds customers are television stations and game publishers such as Electronic Arts, THQ, Ubisoft, ID Software, Futuremark, S2 Games.
CDSA, the Content Delivery & Storage Association, is the worldwide forum advocating the innovative and responsible delivery and storage of entertainment, software and information content.
CDSA's global network of certified sites are audited to industry standards to protect your content for over ten years the world's most responsible replicators and content services have agreed to undergo site audits by industry experts to benchmark their preparedness in content protection and security. Today, the world's leading motion pictures, home video, music, software and games companies recognize and reward CDSA certified sites for their commitment to protecting their content.
Thanks very much, I don't think accreditation is very important to me as a SAQC type. Just need the dedicated server to pass the quarterly scans. Most of the tweaking can be done by me anyway should the server fail but I recently made the mistake of signing up to a company that always fails the scans due to infrastructure and software shortcomings.
If OVH get back to me I'll post here - seems to be quite hard to find this information I think it's still worth hosting companies advertising PCI compliance even if they aren't accredited.
For us it is not that easy to advertise we are compliant without accreditation as we offer hosting building blocks (servers, racks, bandwidth) and not offer full service PCI compliant products useable by non-techs.
This is going to be your most common scenario, dedicated hosting providers will give you the building blocks but you have to choose the elements for your solution to become effectively compliant. Ie, a provider will offer server hardware, firewall options, secure network, Operational security policies and practices, SAS 70 Type II certification, monthly/quarterly or annual vulnerability scans against your servers and network (or full-blown network/hardware/application penetration testing even, those can be costly but often worth the money). But it is up to you as the customer to choose those individual tools and subscribe to the appropriate services that will pass an audit by your registered PCI auditor, and to properly configure & secure your servers and applications.
Exactly right but my reason for posting was, how can you tell? I know from experience that at least one leading hosting company isn't PCI compliant and that info is burried, not to mention being locked in to an out of date OS un-upgradeable by provider or user.
If anyone ends up here via google in the future with a similar problem my advice would be have a good chat with your prospective hosting company but don't assume you'll be OK. I3d.net have been very helpful via email, thanks for that.