What is PCI DSS Hosting
The PCI DSS standard is a set of requirements that must be met by companies working with the data of Visa and MasterCard cardholders. PCI DSS hosting is a service that allows customers to shift part of the responsibility for meeting the requirements of the standard onto the shoulders of the provider. This service allows participants in the market of electronic payment systems to simplify the process of certification and compliance with PCI DSS regulations.
PCI DSS hosting provider uses various methods to protect cardholder information. Responsibility areas for fulfilling each of the 12 PCI DSS requirements are distributed between the client and the provider, depending on the agreement concluded between them. nevertheless, often the operator takes responsibility for protecting the network, data and controlling physical access to information.
To build a reliable network, the provider uses a set of security tools based on PCI DSS requirements. This set includes firewall, network monitoring solutions and WAF. In addition, the ISP restricts per-user FTP/SSH connections to all machines and uses scripts (such as sshd_sentry) to block IP addresses from which multiple failed login attempts have been made.
The service provider also protects cardholder data with antivirus software, two-factor authentication, traffic encryption, and backup. The provider is also responsible for the "physical protection" of the equipment (if it has its own data center). But often this responsibility falls on the employees of the data center in which the provider places the racks.
Types of hosting PCI DSS
According to our research, the most popular PCI DSS hosting options are co-location, IaaS Basic, and IaaS Advanced.
In this case, the user places his hardware in the operator's data center. The provider is responsible for ensuring the security of the equipment: video surveillance must work in the data processing center, employees must undergo identification control, and hardware must be placed in secure racks. In addition, the service provider conducts regular inspections and checks of equipment for faults.
The customer is responsible for cardholder data storage, malware protection, and app security. The provider is responsible for restricting physical access to data. The rest of the PCI DSS requirements are distributed between the parties depending on the drawn up agreement.
For instance, we can provide part of the application security requirements instead of the client, since we have a WAF. nevertheless, we may also be responsible for updating systems and identifying risks. Our employees monitor IP events around the clock in order to respond promptly.
RFI Bank can serve as a successful example of placement under the IaaS Basic scheme. The company works in the field of e-commerce, so it needs to comply with all 12 requirements of the PCI DSS standard. Our team fully manages the cloud infrastructure of the bank.
The IaaS Advanced service means that the provider takes responsibility for fulfilling almost all the requirements of the PCI DSS standard: this includes setting up infrastructure components and networks. The client is engaged only in writing secure applications.
To be able to provide the IaaS Advanced service, a vendor must meet several requirements. The first of them is the presence of 2FA. For these purposes, we have an OTP server that generates one-time tokens.
Another requirement is the presence of a firewall. In network matters, we always work on the principle of "prohibit everything that is not allowed." We use the IPS/IDS-enabled Palo Alto solution to monitor unauthorized connections and quickly respond to threats.
And, finally, the third requirement is the presence of the File Integrity Monitor system, which monitors the integrity of files, including files of Linux and Windows operating systems. Additionally, we create VM backups every day to be able to restore information in the event of a failure.
What to choose
Cognizant analysts emphasize that it is difficult to comply with PCI DSS requirements for large organizations: banks, retail chains. accordingly, IaaS Basic or Advanced hosting is more suitable for them. For all other companies working with payment card data, the co-location service may be suitable.
Our survey showed that 76% of companies working with electronic payments use the services of cloud vendors. At the same time, the surveyed organizations most often choose the co-location service (44%). Nevertheless, IaaS Basic and IaaS Advanced services are gradually gaining momentum - they are chosen by 32 and 22% of respondents.
Therefore, we expect that over time, organizations will begin to transfer more and more responsibility for compliance with PCI DSS requirements to providers.
How does an OTP server you manage help authenticate clients of individual organizations from an infrastructure you don't manage outside the cloud?
What authentication server are you using? Do I understand properly that the authentication method is one-time passwords?
What will happen to the bank for violation of PCI DSS (not in terms of hosting)?
It's all great that the client writes only secure applications, but what about the authenticator? Also interested in whether it is ethical for the hoster to insist that clients apply security policies when renting a server?
A question about the need of PCI DSS certification.
the online store, when paying, redirects the customer to the bank's website, payment is made there.
payment data is not stored or processed by the store.
it is impossible to exclude the possibility of compromising the website of the online store and replacing the payment page.
i.e., previously the customer entered data on the bank's web site, now on the store's site (they are sent to the bank, the operation is successful, the payment data is compromised).
is certification necessary with such initial data?