Industry View
Industry View: Sharing the PCI Load
Kip Miles of Rackspace identifies two key PCI considerations for hosted services
By Kip Miles, Rackspace
Physical Security and Infrastructure
With a PCI-compliant hosted solution, data center managers are free from having to retrofit their server environments to account for PCI physical security requirements. At a PCI-compliant hosted site, cameras are in place and monitored throughout the data center with access controls implemented, enforced and demonstrated on request. Firewall protection and encryption is secured and accessible around the clock and measures are put in place to protect against interruptions and downtime.
In addition, a PCI-compliant hosted solution meets the demands of PCI to implement regular security upgrades that might interfere with a customerĂ¢Â¬"s sales and service operations. Access logs are maintained with more than 90-day retention rates.
With the servers at the host site, enterprises can reallocate their capital spending on new hardware in exchange for monthly payment plans for server access. With tightening credit markets, this option is extremely attractive to enterprises that need to reduce IT costs and direct capital spending elsewhere. The hosted environment also provides data center managers with the ability to manage server access on an ebb and flow basis—heavy during the holiday shopping and less during off-peak seasons. And energy costs to run the datacenters are left with the hosting partner to pay.
By hosting the servers off site and managed 24/7, CSOs have the ability to pull the plug immediately on any server in the rare case there is a data breach. With this approach, the evidence chain is better managed and the server can be removed without affecting other parts of the business.
PCI Talent
Human resources is another key consideration for a CSO planning to manage PCI compliance in house. IT resources and experience in this industry are limited and in big demand right now, not to mention experts who are trained and certified on PCI. Ongoing training and certification is crucial for this job.
By working with a PCI-compliant hosted solution provider, CSOs are provided with security specialists who specialize in PCI. Because a host provider manages a higher volume of PCI compliance work, they can afford to hire individuals who are high level experts. A company managing PCI in house would likely have to hire someone who is certified on multiple fronts and might not have the opportunity to drill down on one subject or area of expertise.
By placing part of the PCI responsibility on an outside source who can prove their employees have undergone background checks and are certified, the enterprise could possibly negotiate better deals with their insurance carriers—or at least make them a little happier.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
