I wrote about PCI compliant hosting data storage guidelines last week, and transparency with PCI cloud hosting providers in July, but not much focus has been placed on the PCI DSS standard 12.9.1 that requires organizations to create an incident response plan in the event of a system breach.
As a PCI hosting provider, that translates into offsite backup and disaster recovery as the complete incident response solution to ensure that data and applications are safe should any issues in availability or uptime arise. Some PCI hosting providers will require you to set up, monitor, and maintain your own backups, so it’s important to check their ability to fulfill the actual requirements while searching for a complete solution.
What does the actual requirement entail? The PCI DSS incident response plan requires:
- Roles, responsibilities, communication and contact strategies in the event of a system compromise, including:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises (for example, amount of time to notify, who to notify, state laws, industry laws, etc.)
- Coverage and responses of all critical system components
- Reference or inclusion of incident response procedures from the payment brands
Creating an incident response team with designated responsibilities and roles, including a head Risk Management and Security Officer that will oversee incident response operations. Online Tech’s Director of Operations also serves as our Risk Management and Security Officer, and all new and current employees have received security training per compliance requirements.
Data at rest, including on portable digital media, backup media and in logs, must be encrypted, per PCI standard 3.4. Below is a diagram of Online Tech’s offsite backup service which can be found in our PCI Compliant Hosting white paper that details other requirements you should expect your PCI hosting provider to provide:
Incident Response and 2012 Cyber Threats & Security (Upcoming free webinar)
PCI Compliant Hosting: Data Storage Guidelines
PCI Compliant Data Center Requirements
Transparency with PCI Hosting Providers: Not Always Included
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)