PCI-DSS Applicability to Hosting Providers and Data Centers

MDCA-final_FINAL-logo-300x199

Recently I was invited to speak in the quarterly meeting for the Malaysian Data Center Alliance (MDCA) regarding the applicability of PCI-DSS to their business.

More and more we are getting questions from traditional data center and hosting businesses on whether they should go for PCI-DSS and whether we can help them.

Here’s a quick FAQ for these businesses:

a) Why do Data Centers need PCI?

Actually – you don’t. PCI-DSS is applicable to businesses dealing with payment card data – storing, transmitting and processing. These are probably your clients – and in general, where they need to be PCI certified, they want to ensure their ‘providers’ – such as yourself – are certified as well.

The pressure for compliance does not come from the payment brands for data centers – instead in almost all cases, they come from the customer themselves.

b) So what benefit do I get from PCI?

The move of hosting providers to become PCI compliant is in parallel to the move of businesses to offload their servers and infrastructure to the ‘cloud’, or to third party providers to host their applications. The cost savings vs building their own data centers from ground up makes sense to most entities, except for large payment companies and banks. Even so, some of these larger entities will outsource their disaster recovery site to a third party – and if they deal with credit card, then that DR site needs to be compliant as well.

c) So should I be spending money on this compliance?

From a data center perspective, there is no direct requirement to be PCI compliant. However, if their customer is going for PCI-DSS compliance, and the data center is NOT compliant, then the data center is obligated to participate in the customer’s PCI program. While this might be manageable for a small group of customers, the idea of managing multiple customers projects and participating in such projects over the long run is not feasible. Therefore, more and more data centers and hosting providers are moving to become ‘PCI Certified’ themselves. Doing so, basically requires them to just show their certificates to their clients instead of participating in their individual compliance programs. Some of the largest success stories of PCI certified hosting/infra are Amazon Web Services and Microsoft Azure Trust Center.

d) SO…how much will it generally cost?

This is very subjective because even hosting providers and DCs have scope. However, the general rule of thumb is that the less visibility you have on card data and less services you offer, the less it will cost. For instance – if a data center only offers M&E and Physical room for client. This against another data center that offers those AND an internet gateway to get out and IPS/IDS, firewall etc. The latter DC will be up against Requirement 1, requirement 3, requirement 9 and other related requirements, while the first one will probably just need to deal with Requirement 9. You could be looking anywhere between RM30K – RM40K for the entire compliance program. (Gap, Remediation, Certification, Scans etc)

This might sound like an awful lot, but the whole program consist of two assessments from QSA (Gap and Cert) and a whole lot of other services during remediation. A typical onsite security assessment is around 18 – 20K already from any of the big 4 firms. And they usually just send their juniors who are just out of college and generally still staying with their parents. Here you get a full fledge QSA and director or senior management level guys supporting the audit. We take it extremely seriously, and we don’t send out pencil pushers with a little checkbox and hardly a stubble under their chin. Penalty for PCI is very very serious and we need to ensure all our clients get the best possible support.

e) Are you open for a quick meeting onsite?

Of course. Drop me an email at pcidss@pkfmalaysia.com and we will get working on it!

Leave a Reply