hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : PCI Compliance
Reply

Forum Jump

PCI Compliance

Reply Post New Thread In Colocation and Data Centers Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
New Member
 
Join Date: Sep 2009
Posts: 3

PCI Compliance


I'm wondering if anyone is hearing rumblings on whether or not data centers themselves will be subject to PCI Compliance. Not hosting or managed services companies, but the actual co-location providers/data centers themselves.

Is this something which is relevent when making a decision on where to be?



Sponsored Links
  #2  
Old
Junior Guru
 
Join Date: Aug 2003
Location: Richmond, BC
Posts: 196
I'm not sure about PCI Compliance, but I have seen several strive towards SAS70.... I believe they have many similar touch points.

  #3  
Old
Web Hosting Master
 
Join Date: Apr 2007
Posts: 3,497
I think data centres are always looking for ways to be one above their competitors.

The company I work for has actually gone through PCI compliance within the past year, however most are spending time on the more complex and appropriate SAS70 etc...

PCI does appear to be something that end users are interested in, and many are look at this for their own sites.

__________________
-- PingBin.com -- Trace Route Database --

Sponsored Links
  #4  
Old
THE Web Hosting Master
 
Join Date: Jan 2003
Location: Chicago, IL
Posts: 6,771
In the PCI guidelines the data center itself really has NOTHING to do with it. The concerns are the security of the data, so yes, security of the data center has something to do with it, but the network, software, etc. is significantly more important. Basically ANY data center would meet the requirements for PCI compliance, and imho, only the ones marketing at people who don't know what they're doing are worried about PCI certifications, etc. on the data center level.

__________________
Karl Zimmerman - Steadfast: Managed Dedicated Servers and Premium Colocation
karl @ steadfast.net - Sales/Support: 312-602-2689
Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
Now Open in New Jersey! - Contact us for New Jersey colocation or dedicated servers

  #5  
Old
New Member
 
Join Date: Sep 2009
Posts: 3
I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.

  #6  
Old
WHT Addict
 
Join Date: Jun 2008
Posts: 166
Quote:
Originally Posted by ColoJS View Post
I would tend to agree that PCI compliance should only apply to equipment and companies operating within the data center itself.

It seems inherent that the security employed by data centers covers the requirements of PCI compliance, but I'm curious as to whether or not it will ever be expanded to the data center providers also being asked to be compliant as well. It certainly wouldn't be much more than simply going through the certification for almost all major data centers.
Interesting, that we were having this same conversation within our company, you can ask 5 different people about PCI within the data center and get 6 different opinions...lol

I have heard that it is the customer within the DC that is looked on to be PCI compliant. I have also heard that SAS 70, ISO 27000, or Hippa are other certification/compliance areas that are more important for a data center than PCI.

__________________
NationalNet
Hosting. Handled.

Managed Hosting | Dedicated Hosting | Atlanta Colocation
sales@nationalnet.com
| 888-4-NATNET | www.nationalnet.com

  #7  
Old
Web Hosting Master
 
Join Date: Apr 2006
Location: Phoenix
Posts: 806

__________________
Jordan Jacobs | VP, Products|SingleHop| JJ @SingleHop.com
Managed Dedicated Servers | Bare-Metal Servers | Cloud Services


  #8  
Old
Web Hosting Master
 
Join Date: Apr 2005
Posts: 1,111
Thank you, very helpfull article

Quote:
Originally Posted by JordanJ View Post
Thank you JordanJ, I've looked at this site before, but looks like I've missed that page. And yes, in our company everybody had their own opinion about DC compliance with PCI requirements.
I hope that this article will help to many hosters.

__________________
Professional Streaming services - http://www.tulix.com - info at tulix.com
Double optimized - AS36820) network, best for live streaming/VoIP/gaming
The best quality network - AS7219

  #9  
Old
Newbie
 
Join Date: Mar 2010
Location: NJ, USA
Posts: 12
Agreed, PCI really focuses on the security of the data, firewalls, etc that are typically maintained by the client in a colocation scenario.

  #10  
Old
Web Hosting Master
 
Join Date: Dec 2004
Posts: 765
Hate to bump an old thread but...

I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

Thanks!

  #11  
Old
Web Hosting Evangelist
 
Join Date: Apr 2010
Posts: 481
The two things that the colo normally needs to do is log access and keep camera footage for so long (90 days if memory serves). I was putting a client into a L3 facility and the access logs were not a problem but the lack of row level cameras was. The PCI auditors were happy with us adding cameras to the cage. I had another client that added cameras and a security system to there single rack and the auditors were happy. There is nothing that a colo needs to do that you can not implement at a rack, cage or suite level. I second that colo's decision to not hand out logs of everybody that accessed the facility, if data has been stolen a crime has been committed the cops can get the proper paperwork and they have covered themselves you should not be handing that over to your clients just for asking. I know L3, ATT and MCI will all give me a list of visitors to my spaces but not the facility as a whole.

  #12  
Old
Web Hosting Master
 
Join Date: Dec 2004
Posts: 765
The few colo facilities I've spoken to, do not want us to bring camera's into their facilities, let alone setup our own cams in our private cage's.

It seems that without the access logs & such, we can not be pci compliant. I too think handing out the logs upon request is a problem but this seems to be required to be pci compliant.

  #13  
Old
THE Web Hosting Master
 
Join Date: Jan 2003
Location: Chicago, IL
Posts: 6,771
Quote:
Originally Posted by lostmind View Post
Hate to bump an old thread but...

I heard that the colo provider must be able to provide proper logs of ALL the people who access the data centers before the colocated customer can be considered PCI Compliant (referring specifically to level 4 merchants who must fill out the SAQ D).

So far, I've been told this is a privacy concern and the colo facility would not provide this information if ever requested.

Meaning, the merchant (colo customer) is non compliant as they can not access that information. According to the QSA auditor/advisor.

I'd love to hear some feedback from the guys who run colo facilities on this point. Or level 4 merchants who need to fill out the SAQ D and colocate.

Thanks!
Wouldn't you only need a log of those with access to your equipment, not to the facility as a whole? If you have your own cage, or even your own cabinet, that shouldn't be too complicated. If you're in a facility that is unwilling to work with you to provide an access log to your own equipment and you need that, then find a new facility.

On our own side, we have several customers for which we individually log access based on their own requirements for SAS70 and/or PCI compliance purposes. It is easy enough with a simple sign-in/out sheet on each cabinet and can then be confirmed with video.

To note, from that questionnaire it seems it is just saying logging must be done and have some auditing, it doesn't say you yourself have to do it, it could be done by the data center itself, unless I'm missing something, that is how I'm reading it.

__________________
Karl Zimmerman - Steadfast: Managed Dedicated Servers and Premium Colocation
karl @ steadfast.net - Sales/Support: 312-602-2689
Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
Now Open in New Jersey! - Contact us for New Jersey colocation or dedicated servers

  #14  
Old
Newbie
 
Join Date: Mar 2010
Location: NJ, USA
Posts: 12
Well said Karl.

At our data centers, typically to maintain compliance a client will have either a private cage or a locking cabinet with an electronic keypad lock. We provide clients with access logs to their private cage, or for anyone on their access list who accesses the data center.

We do not however provide anyone with full data center access logs, for obvious security/privacy concerns.

  #15  
Old
Web Hosting Master
 
Join Date: Dec 2004
Posts: 765
Karl, bferri - our current colo providers will not implement this for us.

We may not use a 3rd party lock on our cage/cab's as their staff must always have access, we can't implement our own camera system (nor bring a camera into the facilities at all), they won't guarantee compliance with a sign in sheet on our cage... We aren't with some bottom of the barrel super cheap facility either...

This is the only issue really causing a problem for us.

Well, this and clients that don't want to pay any more each month to be pci compliant... but that's a different story...

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
PCI Compliance Reaperwebdesign Web Hosting 34 08-28-2009 05:24 PM
PCI Compliance- Is anyone even doing it? KatzenJammer Ecommerce Hosting & Discussion 39 06-10-2009 01:25 PM
PCI Compliance Janegirl Ecommerce Hosting & Discussion 6 11-26-2006 02:17 PM
PCI compliance alosito Web Hosting 7 08-23-2006 10:41 PM

Related posts from TheWhir.com
Title Type Date Posted
Layered Tech Provides Free Cloud Hosting to Payment Processing and Healthcare Startups Web Hosting News 2014-08-11 14:00:10
SoftLayer Achieves SOC 2 Compliance Across 13 Data Centers Web Hosting News 2013-02-28 14:56:13
PCI Security Standards Council Posts PCI DSS Cloud Guidelines Web Hosting News 2013-02-11 15:25:20
ITX Design Launches Service to Help Simplify PCI DSS Compliance Web Hosting News 2013-01-02 10:59:36
Compliance Requirements Drive CIOs to Cloud Adoption: Host Analytics Study Web Hosting News 2012-12-20 13:29:10


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?