Rackspace pursued this compliance so that we can provide a PCI Compliant Hosting Infrastructure for its customers. Infrastructure, in this case, includes:

Physical Security at the following U.S Data Centers:

- Dallas

- Herndon

Access to Rackspace Network Devices (Firewalls, Routers, etc)

Rackspace Policies and Procedures

Some of the things that our customers need to do can be made easier because of this certification by:

Saving time & money during a PCI Assessment Process

Eliminating the need for onsite PCI audits by a Qualified Security Assessor (QSA)

Using a Compliant Hosting Infrastructure

Other things that you need to accomplish in order to become PCI compliant include:

File Integrity

Logging

IDS

Firewall

Quarterly Scanning (through Trustwave)

Server Hardening

Anti Virus (Windows)

Patching

Every time you take advantage of a Rackspace resource to address one of these items, you help reduce the scope of work that you need to accomplish in order to become compliant. While Rackspace offers products to meet the requirements associated with each of the above areas, you must ensure that your configuration meets the PCI Data Security Standard (DSS) v1.1 as it relates to your environment.

Businesses need to look at a number of different methods to deal with things like web attacks, social engineering, identity theft, scams, compliance and plain, old-fashioned theft. Security, Risk Management and Compliance are no longer items to be looked at after big decisions are made. Rather, these three key components should be part of every key decision. Every decision has an inherent level of risk. I do not advocate inserting controls for the sake of controls or compliance just as I do not advocate ignoring risk and hoping that nothing happens. Every good decision should be made by looking at the potential downside of little or no controls and compare that with the potential downside of the cost of controls. The right balance is the right answer (see diagram).

The big question posed by this is “how do I determine risk and the associated costs?” This should not be a complicated issue. You should know your business better than anyone. Because of that, you should know what feels right and what does not. Risk management can be simplified.

Some people look at it as a simple equation: Risk = Threat x Vulnerability x Cost.

Threat is the frequency of potentially adverse events. Vulnerability is the likelihood of success of a particular threat. Cost is the total cost of the impact of a particular threat. If you can reduce the value of any one of these three factors to near-zero, you have reduced your risk to near-zero. The business of risk is really business.

Rackspace takes risk very seriously. Both internally and for our customers. I’m interested to hear how your company deals with risk management and if you’ve ever dealt with companies who were lacking in this department.