PCI DSS Hosting: What You Need to Know

    Recently, we at IT-GRAD successfully recertified the cloud infrastructure for compliance with the PCI DSS standard and received the PCI DSS Managed Service Provider certificate, which means that we can provide PCI DSS hosting services. Next, we will tell you what it is and introduce you to the existing types of service: co-location, IaaS Basic, IaaS Advanced. / photo Neil Turner CC

    What is PCI DSS Hosting?

    The PCI DSS standard is a set of requirements that must be met by companies working with Visa and MasterCard cardholders. Hosting PCI DSS is a service that allows customers to shift part of the responsibility for fulfilling the requirements of the standard to the provider. This service allows participants of the electronic payment systems market to simplify the process of certification and compliance with PCI DSS.

    The PCI DSS hosting provider uses various methods to protect cardholder information. Areas of responsibility for fulfilling each of the 12 requirementsPCI DSS are distributed between the client and the provider, depending on the agreement concluded between them. However, often the operator assumes responsibility for protecting the network, data and controlling physical access to information.

    To build a reliable network, the provider uses a set of security tools based on PCI DSS requirements . This set includes a firewall, network monitoring solutions, and WAF. In addition, the provider restricts FTP / SSH connections for each user to all machines and uses scripts (for example, sshd_sentry) to block IP addresses from which they made several unsuccessful login attempts.

    Provider also protectscardholder data using antivirus software, two-factor authentication, traffic encryption, and backup. The provider is also responsible for the “physical protection” of the equipment (if it has its own data center). But often this obligation falls on the employees of the data center in which the provider places the racks. For example, our equipment in Russia is located in two data centers: Moscow DataSpace and St. Petersburg Xelent, which are certified in the Tier III category from the Uptime Institute.

    / photo Blue Coat Photos CC

    Types of Hosting PCI DSS

    According to our research, the most popular PCI DSS hosting options are co-location, IaaS Basic and IaaS Advanced.


    In this case, the client places its “hardware” in the operator’s data center. The provider is responsible for ensuring the safety of equipment: video surveillance should work in the data center, employees must pass identification control, and iron must be placed in secure racks. In addition, the service provider conducts regular inspections and checks of equipment for malfunctions.

    IaaS Basic

    The customer is responsible for storing cardholder data, malware protection, and application security. The provider is responsible for restricting physical access to data. The remaining PCI DSS requirements are distributed between the parties depending on the drawn up contract.

    For example, we can provide part of the requirements for protecting applications instead of the client, since we have WAF. However, we may also be responsible for updating systems and identifying risks. Our employees are monitoring IP events around the clock to respond quickly.

    A successful example of placement under the IaaS Basic scheme is the RFI Bank. The company operates in the field of e-commerce, so it needs to comply with all 12 requirements of the PCI DSS standard. Our team fully manages the bank’s cloud infrastructure.

    IaaS Advanced

    The IaaS Advanced service means that the provider assumes responsibility for fulfilling almost all the requirements of the PCI DSS standard: this includes the configuration of infrastructure components and networks. The client only writes secure applications.

    To be able to provide the IaaS Advanced service, the vendor must comply with several requirements. The first of these is the presence of 2FA. For these purposes, we have an OTP server that generates one-time tokens.

    Another requirement is a firewall. In network matters, we always work on the principle of "prohibit everything that is not allowed." We use the Palo Alto solution with IPS / IDS support to track unauthorized connections and respond quickly to threats.

    And finally, the third requirement is the availability of the File Integrity Monitor system, which monitors the integrity of files, including files of Linux and Windows operating systems. In addition, we back up VMs every day to be able to restore information in the event of a failure.

    What to choose

    Cognizant analysts emphasize that PCI DSS requirements are difficult to comply with large organizations: banks, retail chains. Therefore, IaaS Basic or Advanced is more suitable for them. All other companies working with payment card data may use the co-location service.

    Our survey showed that 77% of companies working with electronic payments use the services of cloud vendors. At the same time, the organizations surveyed most often choose the co-location service (42%). Nevertheless, IaaS Basic and IaaS Advanced services are gradually gaining momentum - 32 and 21% of respondents choose them. Therefore, we assume that over time, organizations will begin to transfer more and more responsibility for the implementation of PCI DSS requirements into the hands of providers.

    PS A few articles on PCI DSS certification from the First Enterprise IaaS Blog:

    Also popular now: