Industry View: Sharing the PCI Load

Every Saturday morning the aisles of Home Depot are filled with “do it yourselfers”—confident men and women with plans to lay new floors or retile their bathrooms by themselves. But first, the check lists: wet tile saw, tile, grout, tile cutter, a free weekend… and while they’re completing their lists, somewhere in the back of their minds they’re thinking. “What if I mess this up and how much would it cost for someone else to do this for me?”

Achieving and maintaining PCI compliance for a data center isn’t really all that different. This time-consuming, expensive, nightmarish project is on the minds of every online retail outlet and CSO facing this year’s holiday shopping season.

Even with a slowed economy, consumers are expected once again to flock to the Internet to do their shopping. Last year online retailers recorded more than $29 billion in online sales, up nearly 20 percent over last year. Mingled among those shoppers were the online thieves who can cost the average business owner more than $350,000.

To help combat online fraud, online retailers endeavor to maintain compliance with the security standards set by the PCI Security Standard Council. This draws on limited and expensive resources to reallocate data centers to match the PCI physical requirements, train and certify IT staff, report compliance and respond 24/7 to security breaches. At some point, some CSOs question, “What would it take for someone to do this for me?”

Levering hosted resources for a responsibility like PCI compliance isn’t for everyone. If you can afford the resources, you can argue for the benefits of being the master of your domain. But with that, you take on the full scope of measures to prevent data breaches that may result in loss of revenue, exposure to litigation and damage to your brand and reputation in the process.

With a hosted solution partner you allow someone else to take much of the heat and carry the load for you. Online retailers gain the flexibility and freedom to manage the business of selling product and providing customer service while others manage the server infrastructure and overall hosted environment, and at the same time providing solutions and answers for PCI compliance.

When evaluating a hosted solution partner to support PCI compliance, CSOs should look for two key requirements—infrastructure and experience. This includes the ability to maintain the physical security and maintenance from servers up to the Web application layer itself. It also requires a complete list of employees who are certified and focused exclusively on PCI compliance and data center security.

Physical Security and Infrastructurecameras are in place and monitored throughout the data center with access controls implemented, enforced and demonstrated on request. Firewall protection and encryption is secured and accessible around the clock and measures are put in place to protect against interruptions and downtime.

With a PCI-compliant hosted solution, data center managers are free from having to retrofit their server environments to account for PCI physical security requirements. At a PCI-compliant hosted site,

In addition, a PCI-compliant hosted solution meets the demands of PCI to implement regular security upgrades that might interfere with a customers sales and service operations. Access logs are maintained with more than 90-day retention rates.

With the servers at the host site, enterprises can reallocate their capital spending on new hardware in exchange for monthly payment plans for server access. With tightening credit markets, this option is extremely attractive to enterprises that need to reduce IT costs and direct capital spending elsewhere. The hosted environment also provides data center managers with the ability to manage server access on an ebb and flow basis—heavy during the holiday shopping and less during off-peak seasons. And energy costs to run the datacenters are left with the hosting partner to pay.

By hosting the servers off site and managed 24/7, CSOs have the ability to pull the plug immediately on any server in the rare case there is a data breach. With this approach, the evidence chain is better managed and the server can be removed without affecting other parts of the business.

PCI Talent

Human resources is another key consideration for a CSO planning to manage PCI compliance in house. IT resources and experience in this industry are limited and in big demand right now, not to mention experts who are trained and certified on PCI. Ongoing training and certification is crucial for this job.

By working with a PCI-compliant hosted solution provider, CSOs are provided with security specialists who specialize in PCI. Because a host provider manages a higher volume of PCI compliance work, they can afford to hire individuals who are high level experts. A company managing PCI in house would likely have to hire someone who is certified on multiple fronts and might not have the opportunity to drill down on one subject or area of expertise.

By placing part of the PCI responsibility on an outside source who can prove their employees have undergone background checks and are certified, the enterprise could possibly negotiate better deals with their insurance carriers—or at least make them a little happier.

In addition to helping carry part of the PCI responsibility, a hosted solution provider also has the ability to maintain a broad enough staff to ensure a consistent separation of duties for workers. Facilities managers might have access to the control of a data center but not the credit card data and vice versa. The data access should be controlled by a separate person who has access to the encryption keys.

The two categories of workers should be physically separated from the system so the employees who have access to the infrastructure can keep an independent log that is inaccessible to the workers who have access to the encryption keys.

Whether or not PCI compliance is something a CSO wants to manage in house is entirely based on their needs for a sense of control and availability of capital and IT resources. In the end it’s a question of risk and capabilities.

Kiprian Kip Miles is VP, Information Technology for Rackspace.