If you’ve decided to outsource PCI compliant hosting to a third party, you’ll need to look for certain indicators of compliance to ensure you’re doing your due diligence. Investing time before signing a contract can potentially prevent a data breach that may result in costly fines, reputation damage, customer loss, litigation fees and more. Asking the right questions now instead of later can benefit your company more in the long run.
These questions are included in our PCI Compliant Hosting white paper available for download. Those questions include:
1. What portions of the 12 PCI standards am I responsible for, which do you cover, and which are we both responsible for?
Establishing roles and responsibilities lets you cover all of your bases and allows no room for mistakes. If a breach occurs and an investigation ensues, you will be at fault if a standard is not covered by either you or your hosting provider.
Read the PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF) from the PCI Security Standards Council for a complete list of requirements.
While some hosting providers claim to provide the complete package, they may not include everything that is required under PCI DSS, and may charge you for extra services. Ask to see a list of services and if they cover the standards – for example, do they offer a complete offsite backup and disaster recovery solution? Does their log monitoring service meet the requirement of a daily log review/analysis?
3. What timeframe do you promise clients for breach notification?
Time is particularly important when it comes to breach notification – if a PCI hosting provider doesn’t notify you within a reasonable amount of time after knowledge of a breach in your system, your customers/clients could be at serious risk. Data thieves are given more time to misuse financial information and may go unnoticed.
4. Who performed your independent PCI audit and do you provide copies of the audit report?
A PCI hosting provider that cannot or refuses to share a copy of their PCI Report on Compliance (ROC) may set off red flags. Full transparency is essential with a hosting provider, especially if you plan to trust them with credit cardholder data and other confidential information.
5. What policies and technologies are used to protect my applications and cardholder data?
Again, similar to question #2, knowing the specific language and function of the technologies used to protect your apps and data gives you further insight into the extent of the security of your environment, and can help you match known vulnerabilities with a solution, or pinpoint any that haven’t been covered.
6. If disaster strikes, how long will it take before all applications and data are available again?
Faster recovery and app/data availability can effectively minimize the financial impact of a breach or disaster on your company.
7. Do you share a copy of your documented policies and procedures?
This contributes to gaining transparency into a hosting provider’s protocols and how their day-to-day operations work to protect your apps and data. It can also be very useful in the event of a breach to have their documented policies and procedures for legal purposes.
8. Are your employees trained to handle cardholder data and comply with PCI DSS standards?
Many breaches are a result of human error. Educating personnel on security policies can cut down on human error significantly, and is a requirement of PCI (12.6 – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security).
If you want to read the rest of the paper, including outsourcing benefits and risks, required PCI compliant data center components with diagrams and more, download the white paper now.