What Are the PCI DSS Data Center Security Requirements?
Data centers generally support the storage, processing, and transmission of data. This data is potentially vulnerable to theft and misuse. As a result, PCI DSS has a set of requirements to establish best practices and mitigate attack vulnerabilities.
Datacenter users or owners of the storage, processing or transmission process must meet such requirements annually. Even if the data center provider has nothing to do with the data an end-user can store on their computer hardware, a data center provider is most likely involved in the physical protection of such hardware equipment.
All data centers must comply with the following physical security requirements:
- There should be video surveillance to monitor entry and exit from data centers.
- Access to data centers and physical copies of cardholder data should be restricted.
- Where possible, access will be made using electronic badge systems. When not possible, access is logged manually via a Visitor Access Log as defined in your procedures.
- Develop procedures to distinguish between on-site staff and visitors easily.
- Record the visitor’s name, company represented, and on-site personnel allowing physical access in the logbook.
- Unless otherwise restricted by law, access logs must be retained for at least three months.
- When physical copies of cardholder data are moved between physical locations, the delivery method must be followed as defined in your transport procedures.
- Physical access to data centers should be limited to authorized personnel, designated approved employees, or contractors whose job functions or responsibilities require such physical access.
- Appropriate personnel IDs should be provided for access to data centers.
- Procedures for removing access should be followed for employees who are no longer employed by the organization or transferred from a data center access role.
- Visitors accessing data centers should be accompanied by authorized personnel, and all access should be recorded via the Visitor Access Log as defined in your procedures.
- Visitors who need access to the network should only be allowed to access authorized systems by authorized personnel, and their access should be monitored.
- Unless authorized in advance, the data center should have no network entrances to visitors, and access should only be allowed during the visit.
PCI-compliant data center requirements are essential for a multi-layered approach to the security and availability of critical data and applications. If you are outsourcing, make sure your PCI hosting provider offers each of the following items.
Third-Party Independent PCI DSS Audit Report
A PCI data center service provider should be willing to show the audit report under the NDA to ensure that they are following compliance rules and practices. Request a copy of the independent audit report documenting the measures adopted to meet your PCI hosting provider’s 12 PCI DSS standards.
For organizations outsourcing the storage, processing, or transmission of cardholder data to third-party service providers, according to PCI SSC, the Compliance Report (ROC) will provide for each service, clearly specifying what requirements apply to the assessed organization and which requirements apply to that organization. Document the role of the provider.
Be sure of some standards for which you will be exclusively responsible; some require mutual effort by your company and hosting provider. Services such as physical security may be the sole responsibility of the hosting provider. Ensure you do your due diligence to ensure that all controls between your company and the hosting provider are adequately covered.
Audited Personnel and Documented Security Policies
Without a culture of security and processes that ensure rules and procedures are written, followed, and independently audited, even the most secure technologies are useless.
Examine the details of security controls in the independent audit reports. They should reflect a solid foundation of security policy that guides day-to-day operations. Policies should also include security updates and change management documentation to outline the protocol after significant changes occur in the company.
All personnel should be trained in the secure handling of credit cardholder data and how to ensure the physical and environmental security of a PCI-compliant data center.
PCI DSS requirement 12.6 requires organizations to:
- Implement a formal security awareness program to educate all employees on the necessity of protecting cardholder data.
- PCI requirement 12.9.4 also requires that you know what to do in the event of a data breach.
- Provide appropriate training to personnel with security breach response responsibilities.
Data Center Security
PCI-compliant data centers require physical, network, and data security. Physical security means that only authorized personnel should have limited access to server racks, suites, and cages.
Environmental controls should include 24/7 monitoring, recorded surveillance, and multiple alarm systems. Dual authentication access can consist of using both a security badge and a code to gain access to restricted areas.
The use of appropriate facility access controls to limit and monitor physical access to systems in the cardholder data environment is required by PCI requirement 9.1.
Furthermore, PCI DSS requirement 9.1 states that physical security controls for each computer room, data center, and other physical spaces with systems in the cardholder data environment must be verified.
Check that approved badges, locks, and keys, as well as badge readers or other devices, are used to control access.
Sub-requirements under PCI DSS Requirement 9 require you to restrict physical access to cardholder data and the use of video cameras or access control mechanisms to monitor physical access to sensitive areas.
The restriction includes restricting physical access to network jacks, wireless access points, gateways, handheld devices, and more.
There are also specific requirements regarding how visitors to data centers or facilities with cardholder data are handled. Network security should protect sensitive infrastructures such as managed dedicated servers, cloud servers, power, and network infrastructure with restricted access.
Data Center Security Best Practices for PCI DSS
If your business is an e-commerce or financial services firm that works with payment card data, you should consider PCI DSS compliance when choosing a third-party data center for cloud or colocation.
According to PCI DSS, you must verify that access is regulated by badge readers or other devices, such as authorized badges, locks, and keys. This is pretty general, and you should look specifically for multi-factor authentication and appropriate policies and processes to manage access lists.
Camera / CCTV monitoring
Your data center is not PCI compliant unless cameras or CCTV monitors access your equipment, and the recording is kept for at least three months. Most colocation data centers offer customers 24-hour access, so you should look for a provider that also provides live 24-hour CCTV monitoring rather than just recorded CCTV footage.
Restrict access to equipment
A PCI-compliant data center should have measures in place to prevent unauthorized staff from interfering with customers’ equipment in addition to access controls for the facility itself. Therefore, access to network jacks, wireless access points, and communication lines should be restricted as much as possible.
It is also essential to control the movements of visitors and other personnel within the data center. In a colocation facility, where many different users visit at different times, this can be tough. Still, if the data center’s access controls and customers’ racks are secure enough, it shouldn’t be a problem.
Some organizations do their best and insist on their own caged space in colocation facilities. This is not a PCI DSS requirement, but it will provide additional peace of mind if other aspects of data center security are in doubt.
Regardless, you will need a secure rack, and you will need control over who has access to it.