PCI DSS Hosting: What You Need to Know

Recently, we at IT-GRAD successfully recertified the cloud infrastructure for compliance with the PCI DSS standard and received the PCI DSS Managed Service Provider certificate, which means that we can provide PCI DSS hosting services. Next, we will tell you what it is and introduce you to the existing types of service: co-location, IaaS Basic, IaaS Advanced.


/ photo Neil Turner CC

What is PCI DSS Hosting?


The PCI DSS standard is a set of requirements that must be met by companies working with Visa and MasterCard cardholders. Hosting PCI DSS is a service that allows customers to shift part of the responsibility for fulfilling the requirements of the standard to the provider. This service allows participants of the electronic payment systems market to simplify the process of certification and compliance with PCI DSS.

The PCI DSS hosting provider uses various methods to protect cardholder information. Areas of responsibility for fulfilling each of the 12 requirements PCI DSS are distributed between the client and the provider, depending on the agreement concluded between them. However, often the operator assumes responsibility for protecting the network, data and controlling physical access to information.

To build a reliable network, the provider uses a set of security tools based on PCI DSS requirements . This set includes a firewall, network monitoring solutions, and WAF. In addition, the provider restricts FTP / SSH connections for each user to all machines and uses scripts (for example, sshd_sentry) to block IP addresses from which they made several unsuccessful login attempts.

Provider also protects cardholder data using antivirus software, two-factor authentication, traffic encryption, and backup. The provider is also responsible for the “physical protection” of the equipment (if it has its own data center). But often this obligation falls on the employees of the data center in which the provider places the racks. For example, our equipment in Russia is located in two data centers: Moscow DataSpace and St. Petersburg Xelent, which are certified in the Tier III category from the Uptime Institute.


/ photo Blue Coat Photos CC

Types of Hosting PCI DSS


According to our research, the most popular PCI DSS hosting options are co-location, IaaS Basic and IaaS Advanced.

Co-location

In this case, the client places its “hardware” in the operator’s data center. The provider is responsible for ensuring the safety of the equipment: video surveillance should work in the data center, employees must pass identification control, and iron must be placed in secure racks. In addition, the service provider conducts regular inspections and checks of equipment for malfunctions.

IaaS Basic

The client is responsible for storing cardholder data, malware protection and application security. The provider is responsible for restricting physical access to data. The remaining PCI DSS requirements are distributed between the parties depending on the drawn up contract.

For example, we can provide part of the requirements for protecting applications instead of the client, since we have WAF. However, we can also be responsible for updating systems and identifying risks. Our employees monitor IP events around the clock to quickly respond.

A successful example IaaS Basic placement scheme can be RFI Bank. The company operates in the field of e-commerce, so it needs to comply with all 12 requirements of the PCI DSS standard. Our team fully manages the bank’s cloud infrastructure.

IaaS Advanced

The IaaS Advanced service means that the provider assumes responsibility for fulfilling almost all requirements of the PCI DSS standard: this includes setting up infrastructure components and networks. The client only writes secure applications.

To be able to provide the IaaS Advanced service, the vendor must comply with several requirements. The first of these is the presence of 2FA. For these purposes, we have an OTP server that generates one-time tokens.

Another requirement is a firewall. In network matters, we always work on the principle of "prohibit everything that is not allowed." We use the Palo Alto solution with IPS / IDS support to track unauthorized connections and respond quickly to threats.

And finally, the third requirement is the availability of the File Integrity Monitor system, which monitors the integrity of files, including files of Linux and Windows operating systems. In addition, we back up VMs every day to be able to restore information in the event of a failure.

What to choose


Cognizant analysts emphasize that PCI DSS requirements are difficult to comply with large organizations: banks, retail chains. Therefore, they are more likely to host IaaS Basic or Advanced. All other companies working with payment card data may use the co-location service.

Our survey showed that 77% of companies working with electronic payments use the services of cloud vendors. At the same time, the organizations surveyed most often choose the co-location service (42%). Nevertheless, IaaS Basic and IaaS Advanced services are gradually gaining momentum - they are chosen by 32 and 21% of respondents. Therefore, we assume that over time, organizations will begin to transfer more and more responsibility for meeting PCI DSS requirements into the hands of providers.



PS A few articles on PCI DSS certification from the First Enterprise IaaS Blog: