The following is an excerpt from our PCI Compliant Data Center white paper, outlining only some of the PCI audited data center requirements. For a full list of the requirements, including high availability, secure network and secure server environment requirements, download our white paper today.

3.1.1.Requirements

3.1.2. PCI Audited Data Center Requirements

The following PCI compliant data center requirements are essential for a multi-layered approach to security and availability of critical data and applications. If outsourcing, ensure your PCI hosting provider offers each of the following:

3.1.2.1. Third Party Independent PCI DSS Audit Report

A PCI hosting provider should be willing to share a copy of their audit report under NDA to ensure they are following compliant policies and procedures. Ask your PCI hosting provider if they can provide a copy of their independent audit report detailing the controls implemented to meet the 12 PCI DSS requirements. According to the PCI Security Standards Council:

For those entities that outsource storage, processing or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider.

Be clear that some of the standards you will be exclusively responsible for; some require mutual effort by your company and the hosting provider; others such as physical security may be the responsibility of only the hosting provider. Make sure you follow your due diligence to ensure all controls are appropriately covered between your company and the hosting provider.

3.1.2.2. PCI Audited Staff and Documented Security Policies

The most secure technologies are rendered useless without a culture of security and process that assures policies and procedures are documented, followed, and independently audited. Review the details of security controls in independent audit reports. They should reflect a solid foundation of secure policies that guide day-to-day operations. Policies should also include change management documentation to outline security updates and protocol after significant changes occur in the company.

All staff should be trained in handling credit cardholder data in a secure manner, as well as trained on how to maintain the physical and environmental security of a PCI compliant data center. PCI requirement 12.6 requires organizations to:

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

Knowing what to do in the event of a data breach is also required by 12.9.4:

Provide appropriate training to staff with security breach response responsibilities.

3.1.2.3. Data Center Security

PCI compliant data centers require physical, network and data security. Physical security means only authorized personnel should have limited access to server racks, suites and cages. Environmental controls should include 24×7 monitoring, logged surveillance, and multiple alarm systems. Dual-identification control access may include the both use of a security badge and code to gain access to restricted areas.

PCI requirement 9.1 states:

Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

As a testing procedure, 9.1 states:

Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.

Sub-requirements under requirement 9, Restrict physical access to cardholder data, also mandate the use of video cameras and/or access control mechanisms to monitor physical access to sensitive areas; restriction of physical access to network jacks, wireless access points, gateways, handheld devices, and more. There are also specific requirements on how to handle visitors to data centers or facilities with cardholder data.

Network security should protect sensitive infrastructure (managed dedicated servers, cloud servers, power and network infrastructure) by restricted access. Data security dictates that, if outsourcing, your PCI compliant hosting provider should never access credit cardholder data.


Looking for more information on PCI DSS IT requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Data Centers white paper now for a complete guide to PCI hosting with IT vendors. Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.