• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Feedback

Let us know what you think of our Knowledge Center!

Open Cloud Community

Learn about Rackspace products, ask questions, and share your knowledge in our Open Cloud Community.

PCI Frequently Asked Questions

  • Article ID: 687
  • Last updated on September 7, 2011
  • Authored by: Rackspace Support
  • (7 Comments)

Contents

How do I know if PCI applies to my business?

If your business accepts credit cards, whether over the internet or on paper, then PCI applies to your business. The general rule states that if you process, store or transmit cardholder data then you must adhere to the Payment Card Industry Data Security Standard v1.2 (PCI DSS v1.2) which prohibits maintaining credit card information in multi-tenant environments.

How do I prove to my bank or my customers that my business is PCI compliant?

Depending on the number of transactions performed annually, Merchants and Service Providers must conduct quarterly vulnerability scans and either fill out a Self Assessment Questionnaire or have a Qualified Security Assessor audit the business entity against the PCI DSS.

Visit Visa’s website below to learn more about the various Merchant and Service Provider levels. http://usa.visa.com/merchants/risk_management/cisp_overview.html

Next, go to the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#navigating

On this page you will find the self assessment questionnaires. There are five self assessment questionnaires on this page so make sure you determine which questionnaire applies to your business.

If I use a payment processor for all of my credit card processing and storage do I still have to comply with the PCI DSS?

Contact your acquiring bank or payment processor to determine their expectations for your business.

What can happen if I choose not to comply with the PCI DSS?

If you choose not to comply with the PCI DSS then you risk:

  • Potentially being fined by your acquiring bank
  • Potentially being restricted from accepting credit cards as a payment method
  • A system compromise, potentially resulting in fines and/or restrictions

Is Cloud Sites PCI-compliant?

Because Cloud Sites is a multi-tenant environment it is not PCI-compliant.  A Cloud Site can be used as a flexible front-end to a payment gateway.  For more information, see this article on utilizing Cloud Sites in an e-commerce solution.



© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER

7 Comments

I Would like to know if RackSpace provides a Cloud or dedicated server service for PCI compliance? I would also like to know if RackSpace provide IPS, UTM, SEIM, FIMS services. Please let me know.
Thank you.
By Tawfick on Oct. 12, 2012

Most PCI compliance does require dedicated hardware and/or a third party gateway. I'd recommend calling our sales number at the top of this page so they can give you more detailed information.
By jered.heeschen on Oct. 13, 2012

As a happy Rackspace Cloud customer I hate to mention this, but other cloud providers have gotten their cloud solutions to be PCI compliant, even though it's a multi-tenant environment. So cloud hosting itself isn't the issue, it's that the provider (Rackspace) has to make their infrastructure PCI compliant. Unfortunately for PCI situations I'll likely have to use other providers, because Rackspace Cloud is a fail on the SAQ-C questionnaire...
By Matt White on Oct. 22, 2012

I am totally confused. According to VISA Global Registry of Service Providers, search, Rackspace Limited hosting service was PCI certified on Jul 31, 2012 by a QSA. Do a search here
http://www.visa.com/splisting/searchGrsp.do

and in 2009 news release, it says PCI-DSS Level 1 certified. What am I missing to understand?

http://www.rackspace.co.uk/media-centre/news/article/rackspace-enhances-security-with-pci-accreditation/
By WL on Dec. 3, 2012

I just read on the RackSpace blog that RackSpace is PCI compliant: http://www.rackspace.com/blog/the-many-faces-of-cloud-security/. Is this true?
By Michael Bianco on Dec. 13, 2012

Hi all, my name is Jarret Raim and I'm the Cloud Security Product Manager here at Rackspace. I wanted to try to clear up some of the confusion here. Hopefully, I can help.

Rackspace maintains two PCI compliance regimes.

1. The first is our merchant compliance that you see listed on the VISA site. This compliance allows us to process credit cards for our services, but does not have any impact on a customer's solutions being compliant.

2. The second is our Service Provider compliance. This allows us to present evidence that our customers can use to run PCI compliant solutions on our services. Currently, Rackspace offers Service Provider compliance for dedicated and RackConnect environments. We are in the process of expanding that coverage to our Public Cloud and Managed Virtualization offerings.

Rackspace offers various services through our partners in dedicated, public and private cloud offerings. You can review the Cloud Tools partners here (http://www.rackspace.com/cloud/tools/) for tools like CloudPassage that can be used to meet the File Integrity Monitoring (FIM) requirements in PCI, as well as many other tools for various security needs.

In the dedicated space, we offer products for intrusion detection (IDS/IPS), log management, vulnerability scanning, anti-virus, denial of service protection and many other needs. I would encourage you to contact your sales representative to get a complete list of the products that would be appropriate for your solution.

Hopefully this clears up some of the confusion. If you have any questions, feel free to contact me at jarret.raim@rackspace.com or your Rackspace rep through ticket, phone or chat.

By Jarret Raim on Jan. 2, 2013

Hi,
Do the customers hosting thier ecommerce sites on dedicated servers with you are aslo required for PCI compliance for merchants??
By Azhar on Mar. 22, 2013

Add new comment