Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : PCI Compliance

[ColoJS]

I'm wondering if anyone is hearing rumblings on whether or not data centers themselves will be subject to PCI Compliance. Not hosting or managed services companies, but the actual co-location providers/data centers themselves.

Is this something which is relevent when making a decision on where to be?

[RoryErickson]

I'm not sure about PCI Compliance, but I have seen several strive towards SAS70.... I believe they have many similar touch points.

[iTom]

I think data centres are always looking for ways to be one above their competitors.

The company I work for has actually gone through PCI compliance within the past year, however most are spending time on the more complex and appropriate SAS70 etc...

PCI does appear to be something that end users are interested in, and many are look at this for their own sites.

[KarlZimmer]

In the PCI guidelines the data center itself really has NOTHING to do with it. The concerns are the security of the data, so yes, security of the data center has something to do with it, but the network, software, etc. is significantly more important. Basically ANY data center would meet the requirements for PCI compliance, and imho, only the ones marketing at people who don't know what they're doing are worried about PCI certifications, etc. on the data center level.

[ColoJS]

I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.

[Hesser]

Quote:

Originally Posted by ColoJS

I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.

Interesting, that we were having this same conversation within our company, you can ask 5 different people about PCI within the data center and get 6 different opinions...lol

I have heard that it is the customer within the DC that is looked on to be PCI compliant. I have also heard that SAS 70, ISO 27000, or Hippa are other certification/compliance areas that are more important for a data center than PCI.

[JordanJ]

https://www.pcisecuritystandards.org.../pci_dss.shtml

[tulix]

Quote:

Originally Posted by JordanJ

https://www.pcisecuritystandards.org.../pci_dss.shtml

Thank you JordanJ, I've looked at this site before, but looks like I've missed that page. And yes, in our company everybody had their own opinion about DC compliance with PCI requirements.
I hope that this article will help to many hosters.

[bferri]

Agreed, PCI really focuses on the security of the data, firewalls, etc that are typically maintained by the client in a colocation scenario.

[lostmind]

Hate to bump an old thread but...

I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

Thanks!

[silasmoeckel]

The two things that the colo normally needs to do is log access and keep camera footage for so long (90 days if memory serves). I was putting a client into a L3 facility and the access logs were not a problem but the lack of row level cameras was. The PCI auditors were happy with us adding cameras to the cage. I had another client that added cameras and a security system to there single rack and the auditors were happy. There is nothing that a colo needs to do that you can not implement at a rack, cage or suite level. I second that colo's decision to not hand out logs of everybody that accessed the facility, if data has been stolen a crime has been committed the cops can get the proper paperwork and they have covered themselves you should not be handing that over to your clients just for asking. I know L3, ATT and MCI will all give me a list of visitors to my spaces but not the facility as a whole.

[lostmind]

The few colo facilities I've spoken to, do not want us to bring camera's into their facilities, let alone setup our own cams in our private cage's.

It seems that without the access logs & such, we can not be pci compliant. I too think handing out the logs upon request is a problem but this seems to be required to be pci compliant.

[KarlZimmer]

Quote:

Originally Posted by lostmind

Hate to bump an old thread but...

I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

Thanks!

Wouldn't you only need a log of those with access to your equipment, not to the facility as a whole? If you have your own cage, or even your own cabinet, that shouldn't be too complicated. If you're in a facility that is unwilling to work with you to provide an access log to your own equipment and you need that, then find a new facility.

On our own side, we have several customers for which we individually log access based on their own requirements for SAS70 and/or PCI compliance purposes. It is easy enough with a simple sign-in/out sheet on each cabinet and can then be confirmed with video.

To note, from that questionnaire it seems it is just saying logging must be done and have some auditing, it doesn't say you yourself have to do it, it could be done by the data center itself, unless I'm missing something, that is how I'm reading it.

[bferri]

Well said Karl.

At our data centers, typically to maintain compliance a client will have either a private cage or a locking cabinet with an electronic keypad lock. We provide clients with access logs to their private cage, or for anyone on their access list who accesses the data center.

We do not however provide anyone with full data center access logs, for obvious security/privacy concerns.

[lostmind]

Karl, bferri - our current colo providers will not implement this for us.

We may not use a 3rd party lock on our cage/cab's as their staff must always have access, we can't implement our own camera system (nor bring a camera into the facilities at all), they won't guarantee compliance with a sign in sheet on our cage... We aren't with some bottom of the barrel super cheap facility either...

This is the only issue really causing a problem for us.

Well, this and clients that don't want to pay any more each month to be pci compliant... but that's a different story...