Why Your Data Center Needs to be PCI DSS 3.2 Compliant
By: Rob Morris on August 13, 2019
The world of compliance can be very confusing, especially for newly established or small businesses. When it comes time for them to pursue a better data solution through a colocation provider, they often have many questions about data center compliance standards, attestations of compliance, and certificates.
With so many standards to look at, such as SSAE 18, ISO\IEC 27001:2013, SOC 2 Type II, and HIPAA/HITECH, it’s important for prospective colocation customers to focus on the specific compliance areas that impact their business. For many companies, PCI DSS 3.2 (Payment Card Industry Data Security Standard) compliance will be one of the most important standards to consider.
What is PCI DSS 3.2?
Developed and published by the Payment Card Industry Security Standards Council, PCI DSS 3.2 is the latest version of the credit card industry’s security standards used to protect payment information before, during, and after purchases are made. Updated to version 3.2 in 2016 (withminor revisions technically creating PCI DSS 3.2.1 in 2018), PCI DSS applies to any company that accepts a credit card number for processing a transaction, transmits card holder and card number/security information, or receives authorization or settlement information via electronic information systems. In order to comply with PCI DSS, companies must demonstrate their processing systems have controls in place to prevent, detect, and respond to cyberattacks that could result in data breaches.
PCI DSS 3.2 is not a government-mandated regulation, but rather a standard developed by major credit card companies to help businesses provide better data security for their customers and protect themselves from legal exposure in the process. These credit card companies require all businesses who process, store, or transmit credit card data to be in compliance.
PCI DSS has twelve top-level requirement statements. In addition to the twelve general data security requirements of PCI DSS 3.2, there are over 200 sub-requirements that could apply to a business, depending upon their industry. The requirements fall under six broad subject areas:
Build and Maintain a Secure Network.
Protect Cardholder Data.
Maintain a Vulnerability Management Program.
Implement Strong Access Control Measures.
Regularly Monitor and Test Networks.
Maintain an Information Security Policy.
By evaluating their internal processes against those twelve requirements, organizations will end with a list of applicable PCI compliance requirements they need to address. With PCI DSS 3.2 being centric to credit card Point of Sale (POS) transactions and payment settlement information flowing between systems, it is quite possible for any business to be classified as a ‘merchant.’ Merchants who process payments must meet and follow the PCI DSS standard. Failure to do so could result in fines or the loss of credit card processing privileges.
Colocation data centers can be classified as merchants because of the volume of credit card services or process transactions they routinely perform. While they may not be required to meet every one of the twelve requirements to demonstrate PCI DSS 3.2 compliance, they do need to make sure they implement controls regarding the information security and protection of the financial data that customers provide, such as:
Protect stored cardholder data.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Maintain a policy that addresses information security for employees and contractors.
Data Centers and PCI DSS 3.2 Compliance
With data centers facilitating the network access their clients use to market products and services, they are a valuable partner when it comes to various compliance needs. Fortunately, the security demands placed upon a data center (thanks to SOC 2 Type II, ISO/IEC 27001:2013, and HIPAA/HITECH standards) are allies in supporting the PCI control requirements and assisting in obtaining an ‘Attestation of Compliance’ for PCI DSS 3.2.
Data centers are increasingly migrating towards a zero-trust architecture policy to protect themselves from imported malware attacks by an unfamiliar Internet of Things (IoT) device, breach, or other more serious incidents. By strengthening network security against potential threats involving IoT devices and building upon their high physical and logical security standards, colocation data centers are fast becoming the ideal choice for companies looking for the best environment to protect their valuable data. Having a PCI DSS 3.2 attestation of compliance is complementary to a data center’s security posture and adds security to their clients as well.
Data center compliance standards are a critical differentiator when it comes to assessing colocation facilities. A provider that possesses the right data center attestations of compliance and certificates can deliver the tools that a growing or established company needs to set itself on a path to sustainable success. If a facility doesn’t take data center compliance standards seriously, there are very likely additional areas of operations that are subpar as well. Colocation customers can’t afford to take that sort of chance, which is why they should always make a point of requesting information about a data center’s attestations of compliance and certificates.
About Rob Morris
Rob Morris is the Director of Program Management and the ISMS Manager. Rob chairs the vXchnge Information Security Council and manages the compliance campaigns and is our customer liaison.
Subscribe to vXchnge Blog
Speak to an Expert About Your Company's Specific Data Center Needs