Cogeco Peer 1 PCI DSS Compliance. Overview

Transcription

1 Cogeco Peer 1 PCI DSS Compliance Overview Cogeco Peer 1 provides Payment Card Industry Data Security Standards (PCI DSS) compliant Managed Hosting in select datacenters, facilitated by the availability of purpose-built administrative zones within these data centers that serve as a trusted source for customer PCI DSS systems. This enables customers to run a compliant solution that includes management of servers, load balancers, firewalls, switches, and other components that when undergone the proper PCI DSS Level 1 Audit conducted by the customer s Qualified Security Assessor (QSA). For ordered services that specify PCI DSS Compliance, Cogeco Peer 1 will provide PCI-Compliant managed hosting services. For customers, this means the following: Solutions will be built in secure physical data center facilities Managed patching will be available for services Windows antivirus will be available for appropriate services Hardened OS builds that meet CIS (Centre for Internet Security) benchmarks 1 Log monitoring of all administrative infrastructure File integrity monitoring of all administrative infrastructure Intrusion detection of all administrative infrastructure 1 In compliance with PCI DSS Requirement 2, Cogeco Peer 1 has developed and documented a hardened RHEL 5 & 6 build / Windows OS that meet CIS benchmarks. The actual build does not form part of the Attestation of Compliance (AOC) and each customer needs to confirm independently, and with their QSA if not being self-assessed, that the build meets their particular PCI requirements. Cogeco Peer 1 will maintain the build and be aware of any changes recommended by the (CIS) and implement accordingly.

2 PCI-Compliant Managed Hosting What Cogeco Peer 1 delivers as a part of PCI-Compliant Managed Hosting All policies regarding activities up to the point that services are turned over to customers in order to comply with current PCI DSS requirements. Temporary passwords for PCI compliant services are provided to customers via phone upon turning over services to customer, and customers are required to immediately change those passwords. All access to customers systems by Cogeco Peer 1 is encrypted, and protected by two factor authentication, with all access logged and monitored. Penetration and vulnerability testing of administrative infrastructure occurs on a regular basis. All internal infrastructures in scope for PCI are kept up to date with system patches. All drives from PCI compliant systems are wiped or destroyed upon decommission, including SAN drives, if applicable. Cogeco Peer 1 will ping and port check monitor PCI systems, but may not perform any action that requires logging into customer system, as customer passwords are not stored at Cogeco Peer 1. Cogeco Peer 1 will attempt to contact customer upon successive ping or port check failures, in an attempt to assist in remediation of condition causing the failure. Cogeco Peer 1 will document, maintain, and update the functional and security configuration standards of repositories for relevant supporting systems used by standard services and/or servers purchased by the customer as a value added service. Customer is free to patch from other sources if these are not available or where they have a business requirement to do so. Available Datacenters PCI compliant managed hosting is available in the following Cogeco Peer 1 datacenters: Atlanta Miami Los Angeles Portsmouth Toronto Customer Responsibilities Customers are ultimately responsible for understanding and meeting their acquiring financial institution or payment card brand s specific PCI requirements. Customers are responsible for completing all compliance requirement documents required by their acquiring financial institution or payment card brand, including any self-assessment questionnaire. Customers are required to change their passwords immediately upon receipt of service from Cogeco Peer 1. Customers must obtain user-level certificates for use with two factor authentication, and only access their systems with two factor authentication. Customers must encrypt their application data, in line with PCI DSS requirements, and manage their own encryption keys. Customer is responsible for reviewing security bulletin patches and ensuring that any recommendations that are applicable to Customer s environment are reviewed and implemented as necessary. Customers must accept/apply regular system updates, in line with PCI requirements. 2

3 Standard Services for PCI Compliance Cogeco Peer 1 offers the following services as our standard PCI DSS Compliant hosting solution to assist customers to meet their full PCI requirements. 2 Relentless Intrusion Detection Log Management and Review Service Vulnerability Scanning Web Application Firewall services Cogeco Peer 1 will work with you to make sure your unique PCI needs are met, and in the event our standard solution does not fit your requirements, you may customize your solution to suit your business needs. PCI Managed Firewall Description Installed and managed by Cogeco Peer 1 Defined set of default firewall rules, with no admin ports available via Public Internet only via jump box and two factor authentication Copy of documented configurations/rule set is kept by Cogeco Peer 1 Customer business justification required for opening up additional ports / rule changes Cogeco Peer 1 will advise if requested change may be detrimental to customer security All changes are documented and base lined against original configuration Only team leaders and senior members are able to sign off changes to the Firewall rules Process All requests for firewall modifications should be made via by an authorized technical contact. If requested via logging into and submitting request no further validation is required. If requested via into an response confirming the change needs to be acknowledged by the customer prior to making any changes. If submitted via the account managers into an response confirming the change needs to be acknowledged by the customer prior to making any changes. 2 These are recommended products and services that are compatible when suitably configured in a PCI solution but they are not part of the Cogeco Peer 1 AOC. These services are PCI DSS Compliant via partnership agreements and the vendor s AOC is kept on file with Cogeco Peer 1. Customers must independently confirm with their QSA that the elements in the solution meet their PCI requirements. 3

4 Service Delivery Matrix The following service delivery matrix summarizes the respective responsibilities of Cogeco Peer 1 and customers of Cogeco Peer 1 s Managed Hosting Services. Component Customer Responsibilities Cogeco Peer 1 Responsibilities Datacenter 3 None 3 Installation 3 Maintenance 3 Security Network 3 None 3 Installation 3 Maintenance 3 Security Cogeco Peer 1 3 None 3 Installation Installed Hardware: 3 Configuration 3 Server Hardware 3 Firewalls 3 Load Balancers 3 Switches 3 Network Storage 3 Web Application Firewalls Server OS 3 Maintenance 3 Security Service Objective 3 100% Power and HVAC SLA 3 100% Network Uptime SLA 3 1 hour hardware replacement SLA business day initial provisioning objective (dependent on complexity of the environment) o 3 business days for 7 or fewer basic servers o Additional time required for provisioning load balancers, hardware firewalls, clusters and network storage. o Additional 7 business days for PCI compliance 3 24 hour firewall rule change objective 3 4 hour firewall emergency rule change objective 3 24 hour load balancer standard configuration change objective 3 4 hour load balancer emergency rule change SLA 3 Installation 3 Hardened OS installation using CIS approved benchmarks. 4

5 How to Open an Online Ticket 1. Go to and enter your domain name and secret word into the log on box. 2. Click on the Managed Services tab. 3. Click on the Support link from the sub-navigation bar. 4. Click on Request Support from the drop-down menu. 5. The Request Support Ticket screen displays. 6. Fill out the form and click Submit. Cogeco Peer 1 Service Level Agreement Cogeco Peer 1 is committed to providing services to its customers at a standard of excellence commensurate with the best practice in the industry. Network uptime and server availability are of the highest importance. Cogeco Peer 1 s Service Level Agreement located at applies to Cogeco Peer 1 Managed Hosting Server plans. This information is current as of February 2016 and is subject to change at any time. All Cogeco Peer 1 Managed services are subject to Cogeco Peer 1 Terms of Service located at 5

6 Contact Cogeco Peer 1 for more information on PCI DSS Compliance info@cogecopeer1.com CA 413 Horner Ave. Etobicoke, ON M8W 4W3, Canada US 250 E Grayson St. San Antonio, TX 78215, United States UK 30 Town Quay, Southampton, SO14 2AQ, United Kingdom FR GreenSide, Bât avenue Roumanille Biot, France About Cogeco Peer 1 Cogeco Peer 1 is a wholly-owned subsidiary of Cogeco Communications Inc. (TSX:CCA) and is a global provider of essential business-to-business products and services, such as colocation, network connectivity, managed hosting, cloud services and managed IT services, that allow customers across Canada, the United States and Western Europe to focus on their core business. With global data centres, an extensive FastFiber Network and more than 50 points-of-presence in North America and Europe combined, Cogeco Peer 1 is a trusted partner to businesses small, medium and large, providing the ability to access, move, manage and store mission-critical data worldwide, backed by superior customer support Cogeco Peer 1 6