Escolar Documentos
Profissional Documentos
Cultura Documentos
Summary
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information. The purpose of this guide is to clearly explain which areas of PCI DSS Rackspace can assist with, and which responsibilities are solely those of the customer. For more information, please contact Rackspace the home of Fanatical Support
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Introduction
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory to any ecommerce trader, and finding the right hosting partner is vital to success. While there are many areas of PCI compliance that Rackspace can assist with, customers should always consult with a Qualified Security Assessor (QSA) to ensure that they meet all the requirements relevant to their business. In June 2009, Rackspace was accredited by Visa as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with a Qualified Security Assessor to clarify any PCI obligations and steps to achieve customer compliance. This document will explain each area of PCI compliance that is relevant to a hosted solution at Rackspace, and outline where the responsibilities for each requirement lie whether with the hosting provider, the customer or if it is shared.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
REQUIREMENT 1.1.2
Current Network Diagram with All Connections to Cardholder Data, Including Wireless Networks Overview Network diagram and topology documents Responsibility Customer is responsible for mapping the data flow of card holder data across the network. Rackspace can provide network diagram upon request.
REQUIREMENT 1.1.3
Requirement for a Firewall at each Internet Connection and between DMZ Overview Minimise the risk of malicious access to the internal network by implementing a firewall at each internet connection and between DMZ. This should include restricting inbound and outbound traffic to that which is necessary for the cardholder data environment, secure and sync up firewall and router configurations, prohibit internal addresses from being passed to the internet, allow only the necessary protocols, stateful packet inspection, implementing NAT, security of mobile devices connecting to cardholder environment. Responsibility Customer is responsible for incorporating this requirement as a standard as part of the customer security policy. Rackspace will configure the firewall for this requirement, upon request from the customer.
REQUIREMENT 1.1.4
Description of Groups, Roles and Responsibilities for Logical Management of Network Components Overview Clear assignment of groups, roles and responsibilities can be incorporated into the customer security policy
Responsibility In a typical Rackspace PCI customer hosted environment, Rackspace manage the following devices: IDS Load Balancer Firewall (customer can make firewall access rule changes via the customer portal) Rackspace support team and selected customer personnel also have access to manage the following devices: Servers Any changes to the customer hosted environment should be initiated by the customer via phone or ticket. All changes to the customer environment should be recorded in a ticket by the Rackspace support team and by the customer. There may be occasions when Rackspace are required to make changes to the corporate infrastructure which may affect a customer hosted environment, however all changes are communicated prior to any changes being performed.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
REQUIREMENT 1.1.6
Requirements to Review Firewall and Router Rule Sets at least Every Six (6) Months Overview Implementing a policy to review firewall and router rule sets and procedures for performing this task every 6 months as a minimum. Responsibility Customer is responsible for incorporating this requirement as part of the customer security policy. Rackspace can assist with the review process by providing a dump of the firewall configuration upon request.
Responsibility Customer is responsible for incorporating a configuration standard in the customer security policy. Rackspace are able to assist customers by providing guidance and advice on hardening systems.
Requirement 2.1.1 Wireless environments Wireless networks are not permitted in the customer hosted environment. Rackspace are responsible for complying and regularly auditing this requirement.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Responsibility Customer should document description of data and scope for the cardholder environment, with appropriate controls for processing, transmitting and storing of data. This requirement should be incorporated into the customer security policy.
Responsibility Customer is responsible for ensuring that all card holder data that is processed, transmitted or stored is protected and the policies and procedures for protecting the cardholder data are documented and incorporated in the customer security policy.
Responsibility Customer is responsible for documenting policies and procedures for key management which should be incorporated in the customer security policy.
Responsibility Customer is responsible for ensuring card holder data is encrypted when transmitted over the public network. Rackspace are an authorised reseller with Thawte and Verisign Certificate Authorities and can facilitate the attainment and installation of an SSL Certificate.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Responsibility Customer is responsible for incorporating an anti-virus policy in the customer security policy. Rackspace are resellers of Sophos and Symantec anti-virus software (dependent on if the customer is in the Managed or Intensive segment) and can facilitate the installation of an anti-virus software with scheduled signature updates. Customers can also choose to manage the updates and logging for their own requirements.
Responsibility Customer is responsible for implementing patching policies and incorporating into the customer security policy. Rackspace subscribes to and monitors operating system vulnerabilities and will implement critical updates as a matter of urgency using our WSUS or Red Hat Update server. Rackspace perform testing of all patches in a contained environment prior to deployment, however due to the varying nature of customer solutions, the testing does not cover all scenarios and against all services and applications. Customers have the option to opt out of the patching scheduled and perform their own patching. Customer is responsible for managing all other application vulnerabilities.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Responsibility Customer is responsible for implementing this requirement and incorporating into the customer security policy. Customer should liaise with developers to ensure information security is incorporated throughout the software development life cycle process.
Responsibility Customer is responsible for implementing a data & access control policy which is incorporated as part of the customer security policy.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Responsibility Customer is responsible for implementing controls around media distribution; this should be incorporated as part of the customer security policy. Rackspace is responsible for maintaining strict controls around backup media. All managed backup media is encrypted and moved to a security vault with security mechanisms in place throughout the transportation of backup media. All other media is prohibited in the data centre, unless otherwise authorised by the customer through the correct procedures. Rackspace also have a data destruction procedure in place, your account manager can provide further information about this.
Responsibility Customer is responsible to implementing a policy for the retention and management of log files. Rackspace can facilitate a log management solution; alternatively the customer can setup their own log management software/hardware.
REQUIREMENT 11.1
Test for Presence of Wireless Networks Overview Documented policies and procedures to detecting wireless networks Responsibility Wireless networks are not permitted in the customer hosted environment. Rackspace are responsible for complying and regularly auditing this requirement.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk
Responsibility Customer is responsible for establishing an information security policy (customer security policy). Rackspace are Service Provider Level 1 PCI DSS certified. While customers drive PCI DSS compliance for their own respective solutions, Rackspace can assist with many aspects of the 12 PCI DSS requirements.
Rackspace Ltd
4 The Square, Stockley Park, Uxbridge UB11 1ET Tel +44 (0) 20 8734 2500 Fax +44 (0) 20 8606 6107 rackspace.co.uk