Analytical use of cookies
PCI-DSS Financial Data Security
The PCI Security Standards Council developed the Payment Card Industry Data Security Standard (PCI-DSS), which defines the requirements for protecting payment card data.
What is PCI-DSS?
The PCI Security Standards Council developed the Payment Card Industry Data Security Standard to protect cardholder data.
PCI-DSS applies to organizations that:
- process cardholder data,
- store cardholder data,
- transmit cardholder data,
- operate systems that may impact card data security.
The standard consists of 12 core requirements grouped into 6 security domains:
- Secure network and systems
- Data protection
- Vulnerability management
- Access control
- Monitoring and testing
- Security policies
Physical Scope (Colocation) – “Physical Only”
Overview
Designed for customers using physical infrastructure in a data center. The provider is responsible for physical security; the customer manages systems and applications.
Responsibility
Data Center Provider:
- Physical facility security
- Rack access control
- Power redundancy
- Environmental controls
- Physical segmentation
Customer:
- Server configuration
- Operating systems
- Patching
- Firewalls
- Application security
- Data encryption
- User access management
- Responsibility Matrix – Physical Scope
Cloud Scope (KVM)
Overview
Virtualized infrastructure based on KVM. The provider manages hardware and hypervisor; the customer manages OS and applications.
Responsibility
Provider:
- Physical infrastructure
- Hypervisor (KVM)
- Network segmentation
- Infrastructure monitoring
Customer:
- Virtual machine configuration
- Operating system
- System hardening
- Application layer
- Data protection
- Encryption
- Access management
- Responsibility Matrix – Cloud Scope
Hosting Scope
Overview
Provider manages infrastructure and (in managed hosting) operating systems.
Responsibility
Provider:
- Infrastructure
- Virtualization
- OS management (if managed)
- Security updates
- System monitoring
- Backup (if included)
Customer:
- Applications
- Application configuration
- Business data
- PCI process compliance