Disaster Recovery & Backup with PCI Hosting Providers

I wrote about PCI compliant hosting data storage guidelines last week, and transparency with PCI cloud hosting providers in July, but not much focus has been placed on the PCI DSS standard 12.9.1 that requires organizations to create an incident response plan in the event of a system breach.

As a PCI hosting provider, that translates into offsite backup and disaster recovery as the complete incident response solution to ensure that data and applications are safe should any issues in availability or uptime arise. Some PCI hosting providers will require you to set up, monitor, and maintain your own backups, so it’s important to check their ability to fulfill the actual requirements while searching for a complete solution.

What does the actual requirement entail? The PCI DSS incident response plan requires:

  • Roles, responsibilities, communication and contact strategies in the event of a system compromise, including:
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises (for example, amount of time to notify, who to notify, state laws, industry laws, etc.)
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

Creating an incident response team with designated responsibilities and roles, including a head Risk Management and Security Officer that will oversee incident response operations. Online Tech’s Director of Operations also serves as our Risk Management and Security Officer, and all new and current employees have received security training per compliance requirements.

[A complete disaster recovery and backup plan is also ideal for healthcare organizations that need to meet HIPAA compliance. Read more about this in our HIPAA Compliant Hosting white paper].

Data at rest, including on portable digital media, backup media and in logs, must be encrypted, per PCI standard 3.4. Below is a diagram of Online Tech’s offsite backup service which can be found in our PCI Compliant Hosting white paper that details other requirements you should expect your PCI hosting provider to provide:

Offsite Backup

Offsite Backup

Recommended Reading:
Incident Response and 2012 Cyber Threats & Security (Upcoming free webinar)
PCI Compliant Hosting: Data Storage Guidelines
PCI Compliant Data Center Requirements
Transparency with PCI Hosting Providers: Not Always Included

References:
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in Disaster Recovery, PCI Compliance and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>