In today's computing environments, system, network and data security are no longer features; they are requirements. IT infrastructures are under constant attack from third-parties ranging from mischievous hackers who bolster their reputations by their accomplishments to criminals who desire to misappropriate information for illegal purposes. A variety of industry guidelines and regulations have been promulgated to assure that enterprises that process, store or transmit personal and financial data do so in a prudent manner that will thwart the efforts of the offending third parties.
Enterprises engaged in the healthcare and employee benefit industries were the early adopters of heightened system, network and data security through requirements associated with HIPAA in 1996. Since that time, Gramm-Leach-Bliley, Sarbanes-Oxley, 21 CFR Part 11, California's SB 1386 and AB 1950 and many others have tightened policies and procedures and raised expectations regarding information security.
In December 2004, the Payment Card Industry (PCI) adopted the most stringent and comprehensive set of security standards to date PCI DSS (Data Security Standard). PCI DSS provides a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. Companies that process, store or transmit credit card numbers or card holder information must be PCI DSS compliant or risk losing the ability to process credit card payments. Merchants and Service Providers must validate compliance annually with an audit by a PCI DSS Qualified Security Assessor (QSA). The intentions of PCI DSS are clear to create an additional level of protection for customers by ensuring merchants meet minimum levels of security when they store, process or transmit cardholder data.
WHY UTILIZE A PCI COMPLIANT DATACENTER?
The simple answer is assurance assurance that a computing environment will be designed, implemented and managed in a state-of-the-art manner to protect valuable information to the maximum extent possible.
Specific outcomes that result from an implementing PCI DSS are:
* Policy Formulation and Adherence PCI DSS requires the comprehensive development and documentation of information security policies. Informal and undocumented operating practices are identified, and policies are established to provide heightened security in every aspect of a computing environment. Ongoing maintenance of these policies is required at least annually, and reviews are conducted periodically to assure actual operations align with specified objectives. While the primary responsibility for the development and maintenance of these policies resides with the client, a PCI compliant data center has valuable expertise that can assist in the creation and evaluation of data security policies and procedures.
* Design and Configuration Systems, networks and databases are planned and implemented utilizing the highest of security policies, standards and procedures. Internal and external access is evaluated, and only those parties who have a documented need-to-access are granted permission into a PCI compliant environment. Dedicated compliant zones segregated by robust firewalls and access controls are features consistent with PCI compliant hosting.
* Implementation The use of standards and thorough documentation are fully incorporated during the implementation phase. Server, firewall and database configurations are specified during the design phase, and followed by PMO staff during implementation with any change or variance recorded. Actual computing environments mirror the detail design as specified during the configuration process.
* Management and Maintenance Segregation of operational duties along with detailed and documented change management protocols are hallmarks of a PCI compliant environment. A PCI compliant data center provides the actual and virtual segregation of personnel necessary to achieve the desired control, as well as insist that robust change management procedures be followed in order to revise, update, and maintain the computing environment.
* Reporting and Review Numerous oversight and auditing tasks occur within a PCI compliant data center to assure actual operations are consistent with specified policies. These reviews range from detail analysis of server logs to post-audit of equipment documentation. A PCI compliant data center is also available to assist in compliance reviews and third-parties audits that a client may have to undergo.
WHY CHOOSE GSI as your PCI COMPLIANT DATA CENTER?
* Experienced GSI was the first managed hosting provider validated by VISA as a PCI (previously CISP) compliant service provider. GSI has been hosting PCI compliant clients longer than anyone.
* Comprehensive Many data centers provide portions of PCI required services, but very few address the full requirements of PCI DSS. GSI handles 70% of the objectives and sub-requirements listed in the PCI DSS, and if the policy requirements (which are normally a client's responsibility) are extracted, GSI handles 80% of the remaining PCI DSS requirements.
* Knowledgeable Five years of PCI hosting experience coupled with a varied clientele has allowed GSI to develop a deep knowledge of data security. GSI manages multiple server, network and database environments in a PCI compliant fashion every day. PCI compliance is integrated into the very fabric of GSI's operations and is not a bolt-on like many other hosting providers. Many of GSI's personnel attend PCI industry conventions and participate in periodic training sessions on PCI and data security.
* Capable The entity that wrote most of the PCI DSS requirements has selected GSI to be their only third-party hosting provider.
* Committed GSI recognizes the importance of PCI DSS to clients and clients' customers, and expends the effort necessary to assist clients in obtaining and maintaining PCI compliance. GSI is serious about operating in a compliant fashion even to the point of disagreement with changes a client is proposing that would affect the client's PCI validation.