Taming the PCI Compliance Monster

Filed in by Jeff Reich | August 25, 2008 11:20 am

The Payment Card Industry (PCI) Data Security Standard (DSS) requires that if you accept, transmit or store credit cardholder data you must meet the requirements contained within the standard. The problem is that many people don’t know what that means. If you deal with credit cards and are required to meet the PCI DSS, my advice is to find a way to limit the scope of your compliance as much as possible. Rackspace recently concluded a two-year effort to receive our PCI Service Provider Report on Compliance (ROC) as a Compliant Level 1 Service Provider from Visa USA.

Rackspace pursued this compliance so that we can provide a PCI Compliant Hosting Infrastructure for its customers. Infrastructure, in this case, includes:

Physical Security at the following U.S Data Centers:

- Dallas

- Herndon

Access to Rackspace Network Devices (Firewalls, Routers, etc)

Rackspace Policies and Procedures

Some of the things that our customers need to do can be made easier because of this certification by:

Saving time & money during a PCI Assessment Process

Eliminating the need for onsite PCI audits by a Qualified Security Assessor (QSA)

Using a Compliant Hosting Infrastructure

Other things that you need to accomplish in order to become PCI compliant include:

File Integrity

Logging

IDS

Firewall

Quarterly Scanning (through Trustwave)

Server Hardening

Anti Virus (Windows)

Patching

Every time you take advantage of a Rackspace resource to address one of these items, you help reduce the scope of work that you need to accomplish in order to become compliant. While Rackspace offers products to meet the requirements associated with each of the above areas, you must ensure that your configuration meets the PCI Data Security Standard (DSS) v1.1 as it relates to your environment.

Source URL: http://www.rackspace.com/blog/taming-the-pci-compliance-monster/