Search
Data Center SecurityPCI DSS Requirement 12PCI DSS Requirement 9

PCI Compliant Data Center Requirements

Read More
Surkay Baykara
Surkay Baykara
11793
0
Table of Contents show

What Are the PCI DSS Data Center Security Requirements?

Data centers generally support the storage, processing, and transmission of data. This data is potentially vulnerable to theft and misuse. As a result, PCI DSS has a set of requirements to establish best practices and mitigate attack vulnerabilities.

See Also: Ensuring Physical Security: PCI DSS Requirement 9

Datacenter users or owners of the storage, processing or transmission process must meet such requirements annually. Even if the data center provider has nothing to do with the data an end-user can store on their computer hardware, a data center provider is most likely involved in the physical protection of such hardware equipment.

All data centers must comply with the following physical security requirements:

  • There should be video surveillance to monitor entry and exit from data centers.
  • Access to data centers and physical copies of cardholder data should be restricted.
  • Where possible, access will be made using electronic badge systems. When not possible, access is logged manually via a Visitor Access Log as defined in your procedures.
  • Develop procedures to distinguish between on-site staff and visitors easily.
  • Record the visitor’s name, company represented, and on-site personnel allowing physical access in the logbook.
  • Unless otherwise restricted by law, access logs must be retained for at least three months.
  • When physical copies of cardholder data are moved between physical locations, the delivery method must be followed as defined in your transport procedures.
  • Physical access to data centers should be limited to authorized personnel, designated approved employees, or contractors whose job functions or responsibilities require such physical access.
  • Appropriate personnel IDs should be provided for access to data centers.
  • Procedures for removing access should be followed for employees who are no longer employed by the organization or transferred from a data center access role.
  • Visitors accessing data centers should be accompanied by authorized personnel, and all access should be recorded via the Visitor Access Log as defined in your procedures.
  • Visitors who need access to the network should only be allowed to access authorized systems by authorized personnel, and their access should be monitored.
  • Unless authorized in advance, the data center should have no network entrances to visitors, and access should only be allowed during the visit.

PCI-compliant data center requirements are essential for a multi-layered approach to the security and availability of critical data and applications. If you are outsourcing, make sure your PCI hosting provider offers each of the following items.

Third-Party Independent PCI DSS Audit Report

A PCI data center service provider should be willing to show the audit report under the NDA to ensure that they are following compliance rules and practices. Request a copy of the independent audit report documenting the measures adopted to meet your PCI hosting provider’s 12 PCI DSS standards.

See Also: What Are the PCI DSS Third-Party Service Provider Management Requirements

For organizations outsourcing the storage, processing, or transmission of cardholder data to third-party service providers, according to PCI SSC, the Compliance Report (ROC) will provide for each service, clearly specifying what requirements apply to the assessed organization and which requirements apply to that organization. Document the role of the provider.

See Also: PCI DSS Disaster Recovery Requirements

Be sure of some standards for which you will be exclusively responsible; some require mutual effort by your company and hosting provider. Services such as physical security may be the sole responsibility of the hosting provider. Ensure you do your due diligence to ensure that all controls between your company and the hosting provider are adequately covered.

Audited Personnel and Documented Security Policies

Without a culture of security and processes that ensure rules and procedures are written, followed, and independently audited, even the most secure technologies are useless.

Examine the details of security controls in the independent audit reports. They should reflect a solid foundation of security policy that guides day-to-day operations. Policies should also include security updates and change management documentation to outline the protocol after significant changes occur in the company.

All personnel should be trained in the secure handling of credit cardholder data and how to ensure the physical and environmental security of a PCI-compliant data center.

PCI DSS requirement 12.6 requires organizations to:

  • Implement a formal security awareness program to educate all employees on the necessity of protecting cardholder data.
  • PCI requirement 12.9.4 also requires that you know what to do in the event of a data breach.
  • Provide appropriate training to personnel with security breach response responsibilities.

Data Center Security

PCI-compliant data centers require physical, network, and data security. Physical security means that only authorized personnel should have limited access to server racks, suites, and cages.

See Also: What are PCI DSS Backup Requirements

Environmental controls should include 24/7 monitoring, recorded surveillance, and multiple alarm systems. Dual authentication access can consist of using both a security badge and a code to gain access to restricted areas.

The use of appropriate facility access controls to limit and monitor physical access to systems in the cardholder data environment is required by PCI requirement 9.1.

See Also: What You Need to Know About PCI Compliant Hosting

Furthermore, PCI DSS requirement 9.1 states that physical security controls for each computer room, data center, and other physical spaces with systems in the cardholder data environment must be verified.

See Also: Data Center Audit Checklist

Check that approved badges, locks, and keys, as well as badge readers or other devices, are used to control access.

Sub-requirements under PCI DSS Requirement 9 require you to restrict physical access to cardholder data and the use of video cameras or access control mechanisms to monitor physical access to sensitive areas.

The restriction includes restricting physical access to network jacks, wireless access points, gateways, handheld devices, and more.

There are also specific requirements regarding how visitors to data centers or facilities with cardholder data are handled. Network security should protect sensitive infrastructures such as managed dedicated servers, cloud servers, power, and network infrastructure with restricted access.

Data Center Security Best Practices for PCI DSS

If your business is an e-commerce or financial services firm that works with payment card data, you should consider PCI DSS compliance when choosing a third-party data center for cloud or colocation.

Access controls

According to PCI DSS, you must verify that access is regulated by badge readers or other devices, such as authorized badges, locks, and keys. This is pretty general, and you should look specifically for multi-factor authentication and appropriate policies and processes to manage access lists.

Camera / CCTV monitoring

Your data center is not PCI compliant unless cameras or CCTV monitors access your equipment, and the recording is kept for at least three months. Most colocation data centers offer customers 24-hour access, so you should look for a provider that also provides live 24-hour CCTV monitoring rather than just recorded CCTV footage.

Restrict access to equipment

A PCI-compliant data center should have measures in place to prevent unauthorized staff from interfering with customers’ equipment in addition to access controls for the facility itself. Therefore, access to network jacks, wireless access points, and communication lines should be restricted as much as possible.

Motion control

It is also essential to control the movements of visitors and other personnel within the data center. In a colocation facility, where many different users visit at different times, this can be tough. Still, if the data center’s access controls and customers’ racks are secure enough, it shouldn’t be a problem.

Some organizations do their best and insist on their own caged space in colocation facilities. This is not a PCI DSS requirement, but it will provide additional peace of mind if other aspects of data center security are in doubt.

Regardless, you will need a secure rack, and you will need control over who has access to it.

Previous article
What Are the PCI DSS Third-Party Service Provider Management Requirements
Next article
PCI DSS Disaster Recovery Requirements
Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

Security 0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.
Read more

Common Cyber Threats in Ecommerce and How to Mitigate Them

Ecommerce 0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.
Read more

Managing Cyber Risk in the Age of Cloud Computing

Cloud Security 0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.
Read more

Related posts

Data Center Security

Data Center Audit Checklist

The Data Center is an integral and essential part of an organization's IT infrastructure because the Data Center houses all IT infrastructures and support equipment.

Latest posts

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!

PCI DSS GUIDE's aim is to clarify the process of PCI DSS compliance as well as to provide some common sense for that process and to help people preserve their security while they move through their compliance processes.

Latest Posts

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

Most Popular

PCI DSS Requirements

2
The PCI DSS requirements apply to all system components, including people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data, included in or connected to the cardholder data environment.

What’s New in PCI DSS v4.0?

0
PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

0
When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Fast Access

© PCI DSS GUIDE | All rights reserved