Hosting PCI DSS: what you need to know
Recently, we in IT-GRAD successfully re -certified the cloud infrastructure for compliance with the requirements of the PCI DSS standard and obtained the PCI DSS Managed Service Provider certificate, which means that we can provide PCI DSS hosting services. Next, we will describe what it is and introduce you to the existing types of services: co-location, IaaS Basic, IaaS Advanced.
/ photo Neil Turner CC
The PCI DSS standard is a set of requirements to be followed by companies working with data from Visa and MasterCard cardholders. Hosting PCI DSS is a service that allows customers to shift the responsibility for meeting the requirements of the standard on the shoulders of the provider. This service allows participants of the market of electronic payment systems to simplify the process of certification and compliance with PCI DSS standards.
')
PCI DSS hosting provider uses various ways to protect cardholder information. The areas of responsibility for fulfilling each of the 12 PCI DSS requirements are distributed between the client and the provider, depending on the contract concluded between them. However, often the operator takes responsibility for protecting the network, data and controlling the physical access to information.
To build a reliable network, the provider uses a set of security tools based on the requirements of PCI DSS. This set includes firewall, network monitoring solutions and WAF. In addition, the provider restricts FTP / SSH connections for each user to all machines and uses scripts (for example, sshd_sentry) to block IP addresses from which they made several unsuccessful login attempts.
The provider also protects cardholder data with antivirus software, two-factor authentication, traffic encryption, and backup. The provider is also responsible for the “physical protection” of the equipment (if it has its own data center). But often this responsibility falls on the staff of the data center in which the provider places the racks. For example, our equipment in Russia is located in two data centers: Moscow DataSpace and St. Petersburg Xelent, which are certified in the Tier III category from the Uptime Institute.
/ photo Blue Coat Photos CC
According to our research, the most popular hosting options for PCI DSS are co-location, IaaS Basic and IaaS Advanced.
In this case, the client places his hardware in the data center of the operator. The provider is responsible for ensuring the safety of the equipment: in the data processing center, video surveillance should work, employees are required to undergo identification control, and iron should be placed in secure racks. In addition, the service provider conducts regular inspections and equipment checks for faults.
The client is responsible for storing cardholder data, protecting against malware and securing applications. The provider is responsible for limiting the physical access to the data. The remaining requirements of PCI DSS are distributed between the parties depending on the contract.
For example, we can provide part of the application security requirements instead of the client, since we have WAF. However, we can also be responsible for updating systems and identifying risks. Our staff are following the events of IP around the clock to react quickly.
A successful example of placement under the scheme IaaS Basic can serve RFI Bank. The company operates in the field of e-commerce, so it needs to comply with all 12 requirements of the standard PCI DSS. Our team completely manages the cloud infrastructure of the bank.
The IaaS Advanced service means that the provider takes responsibility for fulfilling virtually all the requirements of the PCI DSS standard: this includes setting up the components of the infrastructure and networks. The client is engaged only in writing protected applications.
To be able to provide an IaaS Advanced service, a vendor must comply with several requirements. The first of these is the presence of 2FA. For this purpose, we have an OTP server that generates one-time tokens.
Another requirement is the availability of a firewall. In networking issues, we always work on the principle of "prohibit everything that is not allowed." We use the Palo Alto IPS / IDS solution to monitor unauthorized connections and respond quickly to threats.
And finally, the third requirement is the presence of the File Integrity Monitor system, which monitors the integrity of files, including files of Linux and Windows operating systems. Additionally, we create backup VMs every day in order to be able to recover information in case of failure.
Cognizant analysts emphasize that PCI DSS requirements are difficult to follow for large organizations: banks, retail chains. Therefore, they are more suitable placement IaaS Basic or Advanced. All other companies working with payment card data may be eligible for the co-location service.
Our survey showed that 77% of companies working with electronic payments use the services of cloud vendors. In this case, the surveyed organizations most often choose the co-location service (42%). Nevertheless, the IaaS Basic and IaaS Advanced services are gradually gaining momentum - they are chosen by 32 and 21% of respondents. Therefore, we assume that over time, organizations will begin to transfer to the providers' hands more and more responsibility for fulfilling the requirements of PCI DSS.
PS Several articles on PCI DSS certification from the First Corporate IaaS Blog:
/ photo Neil Turner CC
What is PCI DSS hosting?
The PCI DSS standard is a set of requirements to be followed by companies working with data from Visa and MasterCard cardholders. Hosting PCI DSS is a service that allows customers to shift the responsibility for meeting the requirements of the standard on the shoulders of the provider. This service allows participants of the market of electronic payment systems to simplify the process of certification and compliance with PCI DSS standards.
')
PCI DSS hosting provider uses various ways to protect cardholder information. The areas of responsibility for fulfilling each of the 12 PCI DSS requirements are distributed between the client and the provider, depending on the contract concluded between them. However, often the operator takes responsibility for protecting the network, data and controlling the physical access to information.
To build a reliable network, the provider uses a set of security tools based on the requirements of PCI DSS. This set includes firewall, network monitoring solutions and WAF. In addition, the provider restricts FTP / SSH connections for each user to all machines and uses scripts (for example, sshd_sentry) to block IP addresses from which they made several unsuccessful login attempts.
The provider also protects cardholder data with antivirus software, two-factor authentication, traffic encryption, and backup. The provider is also responsible for the “physical protection” of the equipment (if it has its own data center). But often this responsibility falls on the staff of the data center in which the provider places the racks. For example, our equipment in Russia is located in two data centers: Moscow DataSpace and St. Petersburg Xelent, which are certified in the Tier III category from the Uptime Institute.
/ photo Blue Coat Photos CC
Types of PCI DSS hosting
According to our research, the most popular hosting options for PCI DSS are co-location, IaaS Basic and IaaS Advanced.
Co-location
In this case, the client places his hardware in the data center of the operator. The provider is responsible for ensuring the safety of the equipment: in the data processing center, video surveillance should work, employees are required to undergo identification control, and iron should be placed in secure racks. In addition, the service provider conducts regular inspections and equipment checks for faults.
IaaS Basic
The client is responsible for storing cardholder data, protecting against malware and securing applications. The provider is responsible for limiting the physical access to the data. The remaining requirements of PCI DSS are distributed between the parties depending on the contract.
For example, we can provide part of the application security requirements instead of the client, since we have WAF. However, we can also be responsible for updating systems and identifying risks. Our staff are following the events of IP around the clock to react quickly.
A successful example of placement under the scheme IaaS Basic can serve RFI Bank. The company operates in the field of e-commerce, so it needs to comply with all 12 requirements of the standard PCI DSS. Our team completely manages the cloud infrastructure of the bank.
IaaS Advanced
The IaaS Advanced service means that the provider takes responsibility for fulfilling virtually all the requirements of the PCI DSS standard: this includes setting up the components of the infrastructure and networks. The client is engaged only in writing protected applications.
To be able to provide an IaaS Advanced service, a vendor must comply with several requirements. The first of these is the presence of 2FA. For this purpose, we have an OTP server that generates one-time tokens.
Another requirement is the availability of a firewall. In networking issues, we always work on the principle of "prohibit everything that is not allowed." We use the Palo Alto IPS / IDS solution to monitor unauthorized connections and respond quickly to threats.
And finally, the third requirement is the presence of the File Integrity Monitor system, which monitors the integrity of files, including files of Linux and Windows operating systems. Additionally, we create backup VMs every day in order to be able to recover information in case of failure.
What to choose
Cognizant analysts emphasize that PCI DSS requirements are difficult to follow for large organizations: banks, retail chains. Therefore, they are more suitable placement IaaS Basic or Advanced. All other companies working with payment card data may be eligible for the co-location service.
Our survey showed that 77% of companies working with electronic payments use the services of cloud vendors. In this case, the surveyed organizations most often choose the co-location service (42%). Nevertheless, the IaaS Basic and IaaS Advanced services are gradually gaining momentum - they are chosen by 32 and 21% of respondents. Therefore, we assume that over time, organizations will begin to transfer to the providers' hands more and more responsibility for fulfilling the requirements of PCI DSS.
PS Several articles on PCI DSS certification from the First Corporate IaaS Blog:
Source: https://habr.com/ru/post/351182/
All Articles