PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information. The purpose of this guide is to clearly explain what PCI DSS is, who it is relevant to, which areas of PCI DSS Rackspace can assist with, and which responsibilities are solely those of the customer. For more information, please contact Rackspace the home of Fanatical Support
Introduction Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for ALL organisations worldwide that accept, store, process or transmit credit card details, and finding the right hosting partner is vital to success. While there are many areas of PCI compliance that Rackspace can assist with, customers should always seek consultation and validation from their merchant bank and qualified third parties (E.g. Qualified Security Assessors and Approved Scanning Vendors) to ensure that they meet all the requirements relevant to their business. Be aware that different credit card brands (e.g. Visa, MasterCard, etc.) may have different certification levels and requirements, so guidance from these merchants is vital to successfully attaining compliance. Rackspace is accredited by Visa as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with their Merchant Bank or card brand to clarify any PCI obligations and steps to achieve compliance. What is PCI DSS? Payment Card Industry Data Security Standard is a global standard for information security that was developed and assembled by the Payment Card Industry Security Standards Council (PCI SSC). This council was founded by a number of payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International. PCI DSS contains requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, intended to help businesses proactively protect their and their customers data. The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. Should My Business be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data*, there is a requirement to be PCI-DSS compliant. Non-compliance to PCI-DSS could lead to: Loss of reputation Loss of customers Increased costs for accepting credit card transactions Complete withdrawal of credit card processing facilities in the worst cases Substantial fines associated with security breaches and non-compliance Litigation *Cardholder data refers to PAN (Primary Account Number) plus cardholder name, expiration date, service code
What are the levels of PCI Compliance? While there are different levels defined, the payment volume thresholds are also different depending upon the payment brand i.e. American Express, Master Card and Visa. Using Visa as an example, there are 4 levels of PCI-DSS assessment for Merchants, and 3 different levels for Service Providers. Merchant: Level 1: Any merchant who processes over 6,000,000 credit card transactions per year. Requires annual on-site validation by third party QSA (Qualified Security Assessor) Level 2: Any merchant who processes between 1,000,000 and 6,000,000 transactions per year. Requires annual self-assessment Level 3: Any merchant who processes between 20,000 and 1,000,000 transactions per year. Requires annual self-assessment Level 4: Any merchant who processes fewer than 20,000 transactions per year. Requires annual selfassessment Service provider: Level 1: All VisaNet processors (member and non-member) and all payment gateways Level 2: Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually Level 3: Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually Please contact the PCI Council for more information, and your merchant to confirm which level applies to your business. The PCI Council website can be found at https://www.pcisecuritystandards.org/
Key Steps towards PCI-DSS Compliance 1. Contact your Merchant/Acquiring Bank Your merchant/acquiring bank should provide guidance on: Validation requirements for your assessment (self assessment vs. on-site audit) Deadlines Penalties for non-compliance Penalties for security breaches 2. Conduct a scoping exercise This exercise should uncover the flow of cardholder data in your transactional websites, i.e. where and how cardholder data enters and leaves your website environment Results of this exercise should reveal: Where cardholder data is being stored What third parties have access to cardholder data How cardholder data is being secured in transit and in storage A smaller scope can facilitate an easier compliance exercise 3. Review business processes Are your processes expanding your scope unnecessarily or increasing your attack exposure? For example: Do you really need to store cardholder data? Do you have security policies for firewalls, patching, malware, etc? Is your application coded with best practices? Can non-core functions be outsourced? 4. Utilise the information on the PCI-SSC website The main PCI-SSC website is a great resource for your PCI-DSS compliance journey You can find key information on: Updates to the standard Frequently asked questions Testing procedures for each requirement List of Qualified Security Assessors and Approved Scanning Vendors 5. Engage a QSA (Qualified Security Assessor): If you do not have the in-house expertise to implement and manage a PCI-DSS compliance programme, it is recommended that you engage a QSA Look for QSAs with good track records of working with organisations of a similar size to yours Make sure that your QSA organisation can be found on the list of approved QSAs on the PCI- SSC website 6. Engage an ASV (Approved Scanning Vendor) The PCI-DSS Standard requires every merchant and service provider to engage an Approved Scanning Vendor to conduct periodic scans of your cardholder environment This is mandatory There is a list of ASVs on the PCI-SSC Website To be compliant, you must pass each ASV scan
The Prioritised Approach to PCI DSS Compliance To assist organisations in completing the PCI compliance process, the PCI Security Standards Council have produced a Prioritised Approach to help businesses understand where they can act to reduce risk earlier in the compliance process. The Prioritised Approach (see the PCI SSC website for more details https://www.pcisecuritystandards.org/index.shtml) breaks the steps to compliance down into six milestones and clearly maps each milestone to the 12 PCI DSS requirements and their individual sub-requirements. These milestones make it easier to understand each major area and enable organisations working towards compliance to focus first on the higher-priority requirements, which typically take longer to complete before moving to the lower-priority, less complex requirements. How Can a Hosting Provider Help with PCI Compliance? If you outsource all or part of your cardholder environment to a 3 rd party, the standard requires that party to be PCI-DSS compliant. Rackspace is a Level 1 certified PCI-DSS Service Provider Our compliancy is reassessed annually by an external auditor. The last audit was completed in June 2009 Rackspace offers a suite of hardware, software, and services that can help facilitate your compliance. These include: Summary Managed Cisco firewalls VPN system management access Sophos and Symantec anti-virus protection Thawte and Verisign SSL certificates Alert Logic Intrusion Detection Services (IDS) PCI ASV network scanning service (included with IDS) Physical system security (included with standard support) Patch management services (included with standard support) If you accept, store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant There are penalties associated with non-compliance and data security breaches Rackspace can help you and your clients drive PCI-DSS compliance through its suite of hardware, software, and services Review the information publically available on the PCI-SSC website: https://www.pcisecuritystandards.org/ Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with their merchant and a Qualified Security Assessor to clarify any PCI obligations and steps to achieve customer compliance.