PCI COMPLIANCE FAQ
C7 Data Centers is a PCI Compliant data center provider. C7 Data Centers understands the importance of PCI Compliance, and has taken proactive steps to ensure that our data center facilities meet the strictest interpretation of the PCI Data Security Standard.
What is the difference between PCI Compliance, PCI DSS and the PCI Data Security Standard?
PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the way your business handles information to the PCI DSS standard.
What does it mean for a service provider or merchant to be PCI Compliant?
There is a group of principles and requirements which organize the elements of the PCI DSS. To be PCI Compliant means to restrict your information handling procedures to the PCI DSS requirements, and to have an attestation of compliance.
These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.
The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which SAQ is appropriate for your
What are the PCI Compliance responsibilities for merchants and companies located in a data center?
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software of programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Additional PCI DSS Requirements for Shared Hosting Providers
- Shared hosting providers must protect cardholder data environment
What does it mean for a data center colocation provider to be PCI Compliant?
A data center provides the facility for companies and merchants to conduct their business. In that capacity, the data center provider has specific responsibilities that have to be PCI Compliant. A merchant or company that is located within a PCI Compliant data center is not then PCI Compliant, each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance.
Data centers are only required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ.
In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:
“The questions for Requirements 9.1-9.4 only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”
The following questions are the specific listed Requirements 9.1-9.4 for data centers:
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
9.1.1(a) Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
9.1.1(b) Is data collected from video cameras reviewed and correlated with other entries?
9.1.1(c) Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
9.4(a) Is a visitor log in use to maintain a physical audit trail of visitor activity?
9.4(b) Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
9.4(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law?