PCI Compliance Lost in Data Centre Move
In a recent report published by StoreFrontBackTalk.com, a major unnamed retailer apparently lost their PCI compliance when moving data centres. This demonstrates just how important selecting the right data centre provider is and how important the PCI DSS compliance can be. PCI DSS version 2.0 is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common-sense steps that mirror best security practices. Non-compliance may result in fines or worse.
The unnamed US retailer had, understandably, taken the decision to outsource and use a purpose built colocation facility with all of the benefits that this brings but, of course, did not have visibility of what the data centre provider was doing. In this case, a network change made for good technical reasons and with the best intentions, caused the data centre provider to place the retailer in a position of non-compliance. So serious was this that a conference call took place between the retailer, its acquiring back and card issuers just to discuss how this non-compliance should be reported. The full story is here: http://storefrontbacktalk.com/securityfraud/how-a-major-chain-lost-pci-compliance-when-a-data-center-moved/
What does this mean to you? Well, firstly, if you store, process, and/or transmit cardholder data, maybe you are an ecommerce site, an online retailer, or you just accept credit cards, you must be PCI DSS compliant. Of course, there are huge advantages in colocation and by benefiting of these, there is no reason that you may compromise your PCI DSS compliance, but the difficulty can be finding a colocation provider that is PCI DSS compliant. One way is to look at the Visa Merchant Agent list for a compliant provider, http://www.visamerchantagentslist.com, (search for co-location and not colocation as it is spelled differently on the site). You will find that there are only two providers listed.
Look too at the PCI DSS Level. Level 1 is the highest level of compliance with Level 4 being the lowest. Of course, there are other data centre providers that have various lower levels of PCI DSS compliance, but are they ‘self-assessed’? If so, is that really giving you the confidence that your PCI DSS compliance won’t be compromised?
Check the Scope
PCI DSS is one of the security standards that are important to consider when selecting a colocation provider. This, combined with ISO 27001, is one the most important considerations, but as with PCI DSS be careful about what it means. Check the scope – if the data centre provider has scoped only their HR systems in order to gain ISO 27001 compliance, it is of absolutely no value to you what-so-ever.