Maxwell
02-18-2009, 04:41 PM
The best example I can think of would be the web hosting industry.
There is typically a chain of command from the web host to the company that owns the actual website.
It resembles this:
Secure Telco Facility (owned by John Doe)
Web Hosting Company (owned by Sally Smith)
Web Site and Applications (owned by Joe Public)
In the example above I break PCI into 3 levels though there can be more at the top of the chain or at the bottom.
Joe Public has no technical knowledge whatsoever, but he knows he has to be PCI compliant.
So, lets figure Joe Public (our site owner) has made sure their applications are secure. He hired a programmer to secure his web applications. They have also established an in-house policy for their employees in Florida that credit card information is on a need to know basis, and can only be accessed by those who have been approved to do so.
Joe Public ran an automated scan on his server and the hosting company owned by Sally Smith, whose company is operated from California, was used to help patch the holes found in the applications that are run at the server level, like Apache, MySQL, DNS server, firewalls, etcetera. This was all performed remotely from California by request of the Customer in Joe, in Florida.
The hosting company also locks Joe's server up in a cabinet and only certain people are authorized to access the physical machine. Remember, the hosting company owns the cabinet, the lock for that cabinet, the hardware inside the cabinet, but not the Telco. The web host is located in California. The Telco is located in Colorado and has the web hosts equipment located in Colorado.
Joe Public is now PCI Compliant at the Physical Hardware level, the server application level, the web application level, and in-house through his own internal access policies to sensitive cardholder info.
How about the Telco facility in Colorado? Does Joe need to worry about the facility? Does Sally?
Is there a standard that a facility needs to comply with and can they obtain paper to prove that they meet any PCI guidelines? Assuming every major Telco already has a wide range of security in place, like biometric scanners, chicken wire fences, no windows, and strong internal security policies like name badges for employees, only some employees can unlock cabinets owned by whatever hosting companies reside in the Telco vault, etc.
So as part of Joes path to PCI compliance, does he need to worry about producing PCI compliance papers from the facility the physical hardware is located in?
Remember, Joe leases the server from a host in California, and has no hopes of ever seeing his hardware in person in the Telco in Colorado since he has no vested ownership in either the Telco or the equipment that resides in the Telco vaults.
The host secures the Physical machine in a cabinet under lock and key at a Telco. The host can access Joes hardware, since the host owns it, but only if they produce security badges that prove they are the registered owner of this hardware.
To recap:
Joe is a website owner from Florida. He has programmers to secure his aps, and a hosting company to secure the tangible hardware as well as server applications.
The host leases floorspace in a secure Telco facility in Colorado, and may never need to access the tangible hardware, but often is required to patch the server remotely to keep up to date for PCI standards.
The Telco wont access the hardware or data on the server without direct request, and already has numerous security polices and procedures in place. Their primary role is providing a secure facility and electricity and bandwidth to this host and various others who all operate remotely.
What else, if anything might the Telco need to do to make sure that our end-user, Joe is compliant?
There is typically a chain of command from the web host to the company that owns the actual website.
It resembles this:
Secure Telco Facility (owned by John Doe)
Web Hosting Company (owned by Sally Smith)
Web Site and Applications (owned by Joe Public)
In the example above I break PCI into 3 levels though there can be more at the top of the chain or at the bottom.
Joe Public has no technical knowledge whatsoever, but he knows he has to be PCI compliant.
So, lets figure Joe Public (our site owner) has made sure their applications are secure. He hired a programmer to secure his web applications. They have also established an in-house policy for their employees in Florida that credit card information is on a need to know basis, and can only be accessed by those who have been approved to do so.
Joe Public ran an automated scan on his server and the hosting company owned by Sally Smith, whose company is operated from California, was used to help patch the holes found in the applications that are run at the server level, like Apache, MySQL, DNS server, firewalls, etcetera. This was all performed remotely from California by request of the Customer in Joe, in Florida.
The hosting company also locks Joe's server up in a cabinet and only certain people are authorized to access the physical machine. Remember, the hosting company owns the cabinet, the lock for that cabinet, the hardware inside the cabinet, but not the Telco. The web host is located in California. The Telco is located in Colorado and has the web hosts equipment located in Colorado.
Joe Public is now PCI Compliant at the Physical Hardware level, the server application level, the web application level, and in-house through his own internal access policies to sensitive cardholder info.
How about the Telco facility in Colorado? Does Joe need to worry about the facility? Does Sally?
Is there a standard that a facility needs to comply with and can they obtain paper to prove that they meet any PCI guidelines? Assuming every major Telco already has a wide range of security in place, like biometric scanners, chicken wire fences, no windows, and strong internal security policies like name badges for employees, only some employees can unlock cabinets owned by whatever hosting companies reside in the Telco vault, etc.
So as part of Joes path to PCI compliance, does he need to worry about producing PCI compliance papers from the facility the physical hardware is located in?
Remember, Joe leases the server from a host in California, and has no hopes of ever seeing his hardware in person in the Telco in Colorado since he has no vested ownership in either the Telco or the equipment that resides in the Telco vaults.
The host secures the Physical machine in a cabinet under lock and key at a Telco. The host can access Joes hardware, since the host owns it, but only if they produce security badges that prove they are the registered owner of this hardware.
To recap:
Joe is a website owner from Florida. He has programmers to secure his aps, and a hosting company to secure the tangible hardware as well as server applications.
The host leases floorspace in a secure Telco facility in Colorado, and may never need to access the tangible hardware, but often is required to patch the server remotely to keep up to date for PCI standards.
The Telco wont access the hardware or data on the server without direct request, and already has numerous security polices and procedures in place. Their primary role is providing a secure facility and electricity and bandwidth to this host and various others who all operate remotely.
What else, if anything might the Telco need to do to make sure that our end-user, Joe is compliant?