PCI（Payment Card Industry – Data Security Standard）準拠というのはクレジットカード等を利用するe-commerce業界でカードホルダーの個人情報は等の機密情報を保護するためのセキュリティを詳細に規定した規格であり、北米では広く採用されている。
What exactly is PCI compliance?
PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the policies and procedures that your business handles information to the PCI DSS standard.
For a company (service provider or merchant) that is hosted in a data center to be PCI Compliant, it must restrict its information handling procedures to the PCI DSS requirements, and have an attestation of that compliance.
These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.
The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which self-assessment questionnaire (SAQ) is appropriate for your company.
A data center provides facilities for companies and merchants to house servers as they conduct their business. In that capacity, the data center provider has specific responsibilities that must follow PCI Compliance. A merchant or company that is located within a PCI Compliant data center is not automatically PCI Compliant. Each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance, detailing their sensitive information procedures as they follow the PCI standard.
Data centers are required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ. As an example let’s look at a sample of the PCI requirements.
In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:
“The questions for Requirements 9.1-9.4 only need to be answered for facilities with ‘sensitive areas’ as defined here. ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”
The following questions are the specific listed Requirements 9.1-9.4 for data centers:
- 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
- 9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
- 9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?
- 9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
- 9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
- 9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
- 9.3 Are all visitors handled as follows:
- 9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
- 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
- 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
- 9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?
- 9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
- 9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
The responsibilities for merchants and companies that process sensitive information and that are located in a data center, per the SAQ Validation, are summarized as follows:
Build and Maintain a Secure Network
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
A. Protect stored cardholder data
B. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
A. Use and regularly update anti-virus software of programs
B. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
A. Restrict access to cardholder data by business need-to-know
B. Assign a unique ID to each person with computer access
C. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes
Maintain an Information Security Policy
A. Maintain a policy that addresses information security for employees and contractors
Additional PCI DSS Requirements for Shared Hosting Providers
A. Shared hosting providers must protect cardholder data environment
Working with each customer data center providers can ensure a safe, compliant and successful hosting experience. Knowing and understanding what PCI compliance is and who is responsible for which parts will lead to even more success for all involved in the process.