Compliance with the PCI DSS data center requirements is critical to safeguarding sensitive cardholder data (CHD) processed at data centers. Beyond protecting CHD from breach risks, the PCI compliance data center requirements help organizations optimize their PCI data safeguards to the standards required by the PCI DSS. Read on to learn more.
Breakdown of the PCI Compliance Data Center Requirements
To achieve robust security across data centers where CHD is processed, you must implement the minimum controls stipulated by the PCI compliance data center requirements.
To meet the PCI DSS data center requirements, organizations are expected to:
- Secure network connections at data centers
- Safeguard CHD storage at data centers
- Implement physical access controls at data centers
- Conduct routine system and network testing at data centers
If your data center processes sensitive CHD for multiple stakeholders (e.g., merchants, payment card issuers, service providers), compliance with the PCI data center requirements is critical to providing continued security assurance to the stakeholders. Beyond earning the trust of stakeholders, PCI compliance will help protect you from the legal, financial, and reputational consequences of data breaches—especially when working with a PCI compliance partner.
What are the PCI DSS Requirements?
Implementing a framework for meeting the PCI compliance data center requirements and those of the broader Data Security Standards (DSS) starts with defining the PCI DSS Requirements and how they help achieve data security. The PCI DSS v4.0 comprises 12 Requirements:
- Requirement 1 – Establish network security controls
- Requirement 2 – Implement secure system configurations
- Requirement 3 – Secure stored account data
- Requirement 4 – Safeguard unsecured network transmission of CHD
- Requirement 5 – Secure systems and networks from malware
- Requirement 6 – Implement secure system and software environments
- Requirement 7 – Control user access to CHD environments and systems
- Requirement 8 – Implement controls to restrict user access to systems
- Requirement 9 – Establish restrictions on physical CHD environments
- Requirement 10 – Log access to CHD environments
- Requirement 11 – Routinely test the security of networks and systems
- Requirement 12 – Implement an organization-wide PCI security policy
Although the guidelines stipulated by all the 12 PCI DSS Requirements broadly apply to data security optimization at data and call centers, this blog will focus primarily on Requirements 1, 3, 9, and 11, which apply most directly to data centers and data center security.
Secure Networks at Data Centers
The PCI compliance data center requirements guide the implementation of network security controls (NSCs), which serve as the network gatekeepers of sensitive data environments at PCI data and call centers. Specifically, PCI DSS NSCs focused on data centers help:
- Isolate highly sensitive CHD environments (CDE) from less sensitive ones
- Safeguard internal CDE from potentially malicious external network traffic
The NSCs implemented at data centers typically include:
- Routers with access control capabilities
- Cloud virtual networks
And, when configuring and implementing NSCs, data and call centers must ensure:
- Proper implementation of NSCs based on established rulesets and configuration standards
- Mapping of connections between internal data center networks and other external networks via network diagrams, which should include:
- Clearly labeled network segments
- A list of all the network segmentation controls in use
- Descriptions of system components within and outside of PCI scope
- Logs of updates installed on systems and networks
- The services and ports used within NSCs have been approved and serve their designated business functions
- Routine reviews of NSC configurations, at least once every six months, to determine their effectiveness
- Secure storage and access control of the NSC configuration files
Implementing network security via NSCs will help address the PCI compliance data center requirements and minimize common PCI network security risks.
Secure All CHD Storage at Data Centers
Per PCI DSS Requirement 3, any CHD stored at data centers must be secured throughout its lifecycle. Specifically, DSS Requirement 3.5 mandates safeguarding primary account numbers (PANs) wherever it is stored. Data centers may be considered primary or non-primary storage locations of PAN, depending on the specific storage system housing the PAN.
The PCI compliance data center requirements classify primary PAN storage locations as databases or flat files such as spreadsheets. Conversely, non-primary storage locations include:
- Backup files
- Audit logs
- Troubleshooting logs
All PAN storage, whether primary or secondary, must be secured and encrypted at all times using cryptographic tools, such as:
- One-way hashing
Additionally, the cryptographic keys used to encrypt PAN must be securely stored and managed to meet the PCI compliance data center requirements.
Control Physical Access to Data Centers
PCI DSS Requirement 9 recommends implementing physical access controls to safeguard the sensitivity of CHD at data centers. PCI data center requirements for physical access include:
- Clearly defined processes for implementing physical access controls, ensuring:
- Organization-wide dissemination of security policies
- Personnel acknowledgment of roles and responsibilities
- Controlled entry into physical CDE in data and call centers via:
- Installing badge-level access to physical CDE
- Monitoring access to physical CDE
- Implementing physical and logical access controls to minimize unauthorized use of network access points (e.g., network jacks)
- Management and authorization of physical access for all personnel and visitors attempting to enter data centers via:
- Implementing role-based access
- Establishing secondary controls (e.g., multi-level access authentication)
- Removal of personnel access following termination or departure from the organization
- Secure storage, distribution, and destruction of media containing CHD at data centers
Implementing the physical access controls for data centers will help prevent unauthorized entry into sensitive physical CDE at data centers and enhance physical security standards.
Test Systems and Networks at Data Centers
The PCI compliance data center requirements also mandate data and call center locations to routinely test the security of their networks and systems. Testing network and system security at data and call centers is critical to gaining visibility into your security posture and potentially identifying cybersecurity vulnerabilities.
PCI DSS Requirement 11 recommends the following network and security testing practices:
- Vulnerability testing of wireless access points to identify unauthorized access points in your internal networks
- Use of vulnerability scanners at least once every three months to assess internal system and network vulnerabilities
- Penetration testing (internally and externally) of data and call center security architecture, ensuring:
- Testing of the entire CDE perimeter, including within and outside of critical networks
- Testing of network segmentation controls used to secure CDE
- Documentation of testing results for future optimization
- Testing the intrusion detection and incident management systems used to manage threats and vulnerabilities, ensuring:
- Traffic is monitored across critical areas of the CDE and at the perimeter
- Tracking of incident response effectiveness
When testing physical CDEs, the PCI call center compliance requirements also recommend using multiple testing methods to cover a wider area of the CDE. More importantly, testing must be an iterative process driven by continuous feedback gained from security controls that work effectively and those requiring further optimization.
Working with a PCI compliance partner will help guide testing procedures in preparation for compliance reporting and maintaining year-round compliance.
Enhance PCI Data Center Security
Compliance with the PCI DSS data center requirements will help optimize the security controls you implement at data and call centers and secure the high volumes of sensitive data handled at these facilities. Meeting the standards of the PCI compliance data center requirements is best achieved in partnership with a leading PCI compliance advisor, who will help you mitigate costly data breaches and strengthen your security posture. To learn more, contact RSI Security today!