Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : Anyone that has a list of PCI certified hosting company ?

[fionix]

Has anyone a list of PCI certified hosting providers ?

For those of you that don't know what it is, here is a link :

https://www.pcisecuritystandards.org/

Thanks for your help.

[voipcarrier]

Correct me if I'm wrong, but doesn't the providers PCI DSS involvement only involve providing a locking cabinet or cage? Other than that, the requirements are all on your end (firewall, IDS, storage requirements, quarterly security assessment, etc.). Unless you're looking for a managed solution, it's all your equipment.

Also, it's probably easier to find an SAS70 facility. As far as I've seen, SAS70 requirements exceed PCI DSS.

[sjhwilkes]

And having screened all employees with access to the environment. But yes if you're just taking straight co-lo that's it.
I've been doing PCI consulting (and CISP before that) for many years, and as the rules get tighter and tighter it just keeps getting better for me. I feel bad for some small companies that are above the transaction threshold for Level 2 though, it's hard for them...

[fionix]

Quote:

Originally Posted by voipcarrier

Correct me if I'm wrong, but doesn't the providers PCI DSS involvement only involve providing a locking cabinet or cage? Other than that, the requirements are all on your end (firewall, IDS, storage requirements, quarterly security assessment, etc.). Unless you're looking for a managed solution, it's all your equipment.

Also, it's probably easier to find an SAS70 facility. As far as I've seen, SAS70 requirements exceed PCI DSS.

I'm sorry but it is not what I'm looking for and it is not that easy as you asking for. The hosting company need to be PCI certified itself for what I look for.

[appliedops]

Quote:

Originally Posted by fionix

I'm sorry but it is not what I'm looking for and it is not that easy as you asking for. The hosting company need to be PCI certified itself for what I look for.

I'll look into it more, but I don't think colocation facilities are candidates for PCI audits...
If you need a PCI compliant setup in a colocation facility, thats relatively easy but you'd need to pay for the audit yourself in order for you to be PCI compliant...

[voipcarrier]

Quote:

Originally Posted by fionix

I'm sorry but it is not what I'm looking for and it is not that easy as you asking for. The hosting company need to be PCI certified itself for what I look for.

If you are looking for a truly colo scenario, then the data center is not responsible for the PCI compliance. The only requirement that might be affected by the individual provider is the employee screening, but they won't really have access to the data so I'm not even sure if that applies.

All of the security audits, firewall and IDS requirements, etc. are your responsibility unless you're in a managed hosting environment. I'm assuming you're not since this is the colocation and data center forum, but maybe I'm wrong.

In my basic understanding of the regulations, as long as you have a locking cage or cabinet from the data center you could make any facility compliant.

This is one of those scenarios where it often times makes sense to bring in an experienced consultant.