If your business is an ecommerce or financial services firm that works with payment card data, PCI DSS compliance should be at the front of your mind when choosing a third-party data centre for cloud or colocation. But how can you ensure a particular data centre makes the grade? Outside of accreditations and self-assessment forms, here’s what you should look out for.
PCI DSS requires you to “verify that access is controlled with badge readers or other devices including authorised badges and lock and key”. This is rather generic, and we’d recommend that you also look specifically for multi-factor authentication and suitable policies and processes to manage access lists. ISO27001 compliance can also be taken as a sign that a data centre has strong access controls in place.
Unless access to your equipment is monitored on CCTV, and the recording is stored for a minimum of three months, your data centre isn’t PCI-compliant. Most colocation data centres offer round the clock access to customers, so you should look for a provider that offers live 24-hour CCTV monitoring, too – rather than just recorded CCTV images.
Restrict access to equipment
In addition to access controls for the facility itself, a PCI-compliant data centre should have controls in place to prevent unauthorised personnel from tampering with their customers’ equipment. As such, access to network jacks, wireless access points and communication lines should be kept as restricted as possible. In our Manchester data centre, we prevent breaches by keeping jacks and networking equipment within customers’ secure racks and cages rather than data centre halls.
Control of movement
It’s also important to be able to control the movement of visitors and other personnel within the data centre. This can be difficult in a colocation facility, which will normally be visited by a lot of different individuals at different times, but shouldn’t be a problem if the data centre’s access controls and the security of customers’ racks are robust enough.
Some organisations go the extra mile and insist on their own caged areas within their colocation facility. This isn’t a requirement of PCI DSS, but will provide additional peace of mind if any other aspects of data centre security are in doubt.
Whatever happens, you’ll need a secure rack and you’ll need control over who can access it, which may involve coming to an agreement with your provider to place extra restrictions on the movement of its own staff. At our data centre, for example, colocation customers can specifically request which – if any – of our personnel they want to have access to their secure racks and cages, making it simple for them to ensure individuals are trusted and background-checked to specific standards before they touch their equipment.
A trusted partner for PCI compliance
It’s not mandated in PCI DSS, of course, but we’d recommend looking for a cloud or colocation provider with knowledge and experience of PCI compliance. Many will claim to be PCI compliant, but you should look for assurance they understand the finer details of the security standard and how it affects their customers’ business. After all, PCI compliance is difficult – it makes sense to work with someone who knows how to help you do it.