PCI DSS Cloud Hosting: Service Details
Some companies whose activities are related to processing customer payment card data resort to a PCI DSS hosting service. This is due to the fact that meeting the requirements of the standard infrastructure is a time consuming process. For example, a bank for Internet entrepreneurs, RFI Bank, which systems are managed by IT-GRAD, uses the services of PCI DSS hosting. The bank leases a secure virtual infrastructure in accordance with the requirements of the PCI DSS standard on the IaaS model.
As more companies pay attention to PCI DSS Compliant Hosting, we want to talk about the details of providing this type of service.
/ photo kuhnmi CC
')
The PCI DSS standard saw the light in 2005 in order to bring the requirements of international payment systems to a common denominator in ensuring the security of cardholder data. From mid-2012, all organizations (including Russian companies) involved in the process of storing, processing and transmitting WPC must comply with the requirements of PCI DSS.
Determining whether to comply with PCI DSS
To understand whether a company needs to be audited for PCI DSS compliance, two questions need to be answered:
If you have given a negative answer to both of these questions, then PCI DSS certification is not necessary, otherwise the requirements of the standard become mandatory for the organization. Note that the standard consists of twelve sections and contains about four hundred security requirements for data processing.
We at IT-GRAD conducted a market research and evaluated possible options for providing PCI DSS service by various companies. As a result, it was found that the most popular subclasses of PCI DSS hosting were Colocation, IaaS Basic and IaaS Advanced services.
Note that when choosing a provider, it is worth paying attention to the prescribed boundaries for the provision of services, which among Russian suppliers are often reduced to the placement of equipment in the computer halls of data centers. This means that the provider provides the Colocation service and fulfills the requirements for providing only physical security according to PCI DSS.
If we talk about foreign hosting sites, here providers most often offer the IaaS Basic service. In this case, the customer himself performs the procedures regulated by the standard, and the supplier configures the border firewalls, routers, virtualization systems and other components.
The IaaS Advanced service is no less popular, when a client receives the most secure cloud on an “all inclusive” basis. The customer simply places the business application in the cloud, and most of the PCI DSS requirements are “closed” by the provider.
As for IT-GRAD, we provide a certified cloud PCI DSS hosting service, with physical equipment placement (Colocation), as well as IaaS Basic and IaaS Advanced services. Next, we look at the features of each type of service.
The service of placing equipment in the data center requires compliance with established safety standards. In this case, the means of controlling and managing access to the data center are used, where there are mandatory video surveillance systems and employee identification systems. All placed equipment is located in lockable racks, access to which is regulated. At the same time, the supplier is responsible for regular inventory and performance check of devices used in the infrastructure. This is one of the mandatory requirements of the PCI DSS standard.
When providing the IaaS Basic service, the obligations of the supplier and the customer are divided according to the established liability matrix of the parties. The supplier is responsible for individual components of the client's infrastructure and performs the settings in accordance with the developed standards for secure configuration and taking into account the requirements of PCI DSS.
Distribution of areas of responsibility can be done in different ways. As an example, consider how it works in the company "IT-GRAD". Since our infrastructure uses Web Application Firewall, applications that are hosted by the client in the cloud can be passed through it, removing some of the application protection requirements.
At the same time, IT-GRAD regularly monitors the emergence of new vulnerabilities, fulfilling the sixth requirement of the PCI DSS standard for updating systems and ranking risks. A change management process is also implemented, when adjustments to the work system are made only after approval by the ad hoc committee. This approach avoids random errors.
In addition, the provider’s employees control access to network resources, as well as monitor IP events 24/7/365 so that they can react quickly in the event of an incident.
Infrastructure as a service in the Advanced format is a turnkey solution when the client only develops and supports secure applications, and all other tasks, be it component configuration, screening, access restriction or channel encryption, and others are implemented by the cloud provider.
To provide IaaS Advanced service, the supplier is obliged to comply with certain requirements and apply appropriate technological solutions. Consider a few of them on the example of IT-GRAD company.
Technological solutions for the IaaS Advanced service
The first requirement is two-factor authentication (Dual Factor Authentication). For example, the IT-GRAD infrastructure uses an OTP server that generates one-time tokens, with which users make a VPN connection with a forwarding call to the DMZ where the management and administration node is located. Connecting to this site allows you to perform administrative tasks and access individual components of the infrastructure.
The second requirement is a network firewall, delimiting the network into zones. In this case, we follow the principle of "what is not allowed, it is prohibited." The provider’s infrastructure also uses the Palo Alto system, which is equipped with the IPS / IDS function, to detect unauthorized access situations and take measures to eliminate emerging threats. Also, a centralized anti-virus protection server with agents installed on the customer’s hosts is often used here. This allows the detection of virus messages to promptly generate incidents and organize a mailing list followed by a CM system response to a fixed event.
Another requirement is to ensure the integrity of the application files (File Integrity Monitor). If changes are made, the checksum changes, which becomes the reason for the automatic creation of the incident. In addition, FIM monitors critical files for Windows and Linux. As part of working with the integrity of files, daily snapshots of virtual machines are also created so that you can “roll back” to the original operating state in the event of an emergency.
Thus, using the PCI DSS hosting service , the client receives a number of advantages, including cost savings and a guarantee of a quick start to the project. This approach simplifies the implementation of the requirements of the standard and the passage of the audit and provides an opportunity to focus on the core business development.
Finally, I would like to note that a company offering a PCI DSS hosting service must have a valid certificate, and the boundaries of the service provided must correspond to the value of the service provider of managed services. This suggests that the provider has the right to provide PCI DSS hosting services, which are divided into the classes of Colocation, IaaS Basic and IaaS Advanced.
As more companies pay attention to PCI DSS Compliant Hosting, we want to talk about the details of providing this type of service.
/ photo kuhnmi CC')
A few words about the standard
The PCI DSS standard saw the light in 2005 in order to bring the requirements of international payment systems to a common denominator in ensuring the security of cardholder data. From mid-2012, all organizations (including Russian companies) involved in the process of storing, processing and transmitting WPC must comply with the requirements of PCI DSS.
To understand whether a company needs to be audited for PCI DSS compliance, two questions need to be answered:
- Is the data of payment cards in your organization stored, processed or transferred?
- Can the business processes of your organization directly affect the security of payment card data?
If you have given a negative answer to both of these questions, then PCI DSS certification is not necessary, otherwise the requirements of the standard become mandatory for the organization. Note that the standard consists of twelve sections and contains about four hundred security requirements for data processing.
Details of the PCI DSS hosting service
We at IT-GRAD conducted a market research and evaluated possible options for providing PCI DSS service by various companies. As a result, it was found that the most popular subclasses of PCI DSS hosting were Colocation, IaaS Basic and IaaS Advanced services.
Note that when choosing a provider, it is worth paying attention to the prescribed boundaries for the provision of services, which among Russian suppliers are often reduced to the placement of equipment in the computer halls of data centers. This means that the provider provides the Colocation service and fulfills the requirements for providing only physical security according to PCI DSS.
If we talk about foreign hosting sites, here providers most often offer the IaaS Basic service. In this case, the customer himself performs the procedures regulated by the standard, and the supplier configures the border firewalls, routers, virtualization systems and other components.
The IaaS Advanced service is no less popular, when a client receives the most secure cloud on an “all inclusive” basis. The customer simply places the business application in the cloud, and most of the PCI DSS requirements are “closed” by the provider.
Sources on the topic: PCI DSS certification
As for IT-GRAD, we provide a certified cloud PCI DSS hosting service, with physical equipment placement (Colocation), as well as IaaS Basic and IaaS Advanced services. Next, we look at the features of each type of service.
Colocation
The service of placing equipment in the data center requires compliance with established safety standards. In this case, the means of controlling and managing access to the data center are used, where there are mandatory video surveillance systems and employee identification systems. All placed equipment is located in lockable racks, access to which is regulated. At the same time, the supplier is responsible for regular inventory and performance check of devices used in the infrastructure. This is one of the mandatory requirements of the PCI DSS standard.
IaaS Basic
When providing the IaaS Basic service, the obligations of the supplier and the customer are divided according to the established liability matrix of the parties. The supplier is responsible for individual components of the client's infrastructure and performs the settings in accordance with the developed standards for secure configuration and taking into account the requirements of PCI DSS.
Distribution of areas of responsibility can be done in different ways. As an example, consider how it works in the company "IT-GRAD". Since our infrastructure uses Web Application Firewall, applications that are hosted by the client in the cloud can be passed through it, removing some of the application protection requirements.
At the same time, IT-GRAD regularly monitors the emergence of new vulnerabilities, fulfilling the sixth requirement of the PCI DSS standard for updating systems and ranking risks. A change management process is also implemented, when adjustments to the work system are made only after approval by the ad hoc committee. This approach avoids random errors.
In addition, the provider’s employees control access to network resources, as well as monitor IP events 24/7/365 so that they can react quickly in the event of an incident.
IaaS Advanced
Infrastructure as a service in the Advanced format is a turnkey solution when the client only develops and supports secure applications, and all other tasks, be it component configuration, screening, access restriction or channel encryption, and others are implemented by the cloud provider.
To provide IaaS Advanced service, the supplier is obliged to comply with certain requirements and apply appropriate technological solutions. Consider a few of them on the example of IT-GRAD company.
The first requirement is two-factor authentication (Dual Factor Authentication). For example, the IT-GRAD infrastructure uses an OTP server that generates one-time tokens, with which users make a VPN connection with a forwarding call to the DMZ where the management and administration node is located. Connecting to this site allows you to perform administrative tasks and access individual components of the infrastructure.
The second requirement is a network firewall, delimiting the network into zones. In this case, we follow the principle of "what is not allowed, it is prohibited." The provider’s infrastructure also uses the Palo Alto system, which is equipped with the IPS / IDS function, to detect unauthorized access situations and take measures to eliminate emerging threats. Also, a centralized anti-virus protection server with agents installed on the customer’s hosts is often used here. This allows the detection of virus messages to promptly generate incidents and organize a mailing list followed by a CM system response to a fixed event.
Another requirement is to ensure the integrity of the application files (File Integrity Monitor). If changes are made, the checksum changes, which becomes the reason for the automatic creation of the incident. In addition, FIM monitors critical files for Windows and Linux. As part of working with the integrity of files, daily snapshots of virtual machines are also created so that you can “roll back” to the original operating state in the event of an emergency.
Thus, using the PCI DSS hosting service , the client receives a number of advantages, including cost savings and a guarantee of a quick start to the project. This approach simplifies the implementation of the requirements of the standard and the passage of the audit and provides an opportunity to focus on the core business development.
Finally, I would like to note that a company offering a PCI DSS hosting service must have a valid certificate, and the boundaries of the service provided must correspond to the value of the service provider of managed services. This suggests that the provider has the right to provide PCI DSS hosting services, which are divided into the classes of Colocation, IaaS Basic and IaaS Advanced.
Source: https://habr.com/ru/post/330578/
All Articles