PCI DSS Certification for financial data hosting
Payment card data requires a particularly high level of care and security, because its sensitive nature often makes it a target for fraudulent activity. PCI DSS (Payment Card Industry Data Security Standard) level 1 certification ensures that banking organisations and users of online services have a high level of security. Organisations that process this confidential data must meet the specific security requirements defined by this certification. The framework is edited and maintained by the PCI Council, a professional group of payment card providers including Visa, Mastercard, American Express, JCB and Discover. This security standard is one of the strictest in terms of confidential data protection.
Our Hosted Private Cloud Premier solution has been PCI DSS 3.2 certified since 2015. Our datacentres in France, Canada, the UK, Germany and Poland hold this certification.
We have added further security measures to our PCI DSS-certified solutions. These include token validation for critical actions, access control lists (ACLs) for administration interfaces, specific reports on sensitive actions, and specific features for account management.
With a PCI DSS-certified infrastructure, you can simplify the way you ensure compliance with security standards that are currently in force. OVHcloud will help you ensure compliance, and will provide you with the documents you need for PCI DSS certification.
PCI DSS-certified solutions for hosting financial data
What is the PCI DSS standard?
PCI DSS is a reference source for security requirements designed to ensure the confidentiality of bank cards and credit cards when used in computer systems. The reference source is edited and maintained by the PCI Council, a professional association of credit card companies that includes VISA, Mastercard, American Express, JCB and Discover.
Any bank that issues cards to its bank account customers, or cashes transactions for its merchant customers, is free to provide a contractual definition of the security requirements that its customers and partners must comply with. The PCI DSS sets out a common security level that covers most needs. The PCI DSS has become a benchmark for electronic payment security, and compliance with this standard has become a systematic requirement for users of online payment systems. Each party in the online payment system hosting chain has a shared responsibility in monitoring the overall security of the platform. These obligations are contractually transferred by the card brands to all the parties involved in the electronic payment platform.
The PCI DSS officially lists more than 250 security features and controls that need to be implemented in order to process card numbers securely. These controls are divided into six groups:
Build and maintain a secure network and system
Protect cardholder data
Maintain a vulnerability management programme
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
How to be PCI DSS compliant
PCI DSS compliance applies to the entire electronic payment platform and is adhered to by the merchant by using the PCI DSS-compliant building blocks belonging to their service provider. This means that each party involved in the use of the platform must comply with the requirements of the standard that are relevant to its activities, and demonstrate this compliance to its customers.
As part of OVHcloud’s PCI DSS payment infrastructure, OVHcloud is responsible for the infrastructure’s security, while you remain responsible for the security of the virtual machines we host, the use of virtual network features, and the application layers deployed on your virtual machines. This way, PCI DSS compliance is a joint effort to combine your software and system platform's security measures with those of OVHcloud's Private Cloud infrastructure.
PCI DSS compliance can be certified with an Attestation of Compliance (AoC) drawn up after a self-assessment questionnaire has been completed, or after an audit has been performed by one or more QSA (Qualified Security Assessor) companies.
Your platform's compliance with the PCI DSS is a structured process, for which the characteristics and obligations depend on several factors:
- The number of transactions completed annually;
- Type(s) of bank card(s) accepted;
- Acquiring bank(s);
- Complexity of the electronic payment infrastructure.
Becoming PCI DSS compliant involves approaching the parties concerned, in order to understand their precise expectations. OVH recommends that you contact your acquiring bank and/or contact a QSA company to assist you in this process.
The OVH platform undergoes annual audits by a QSA company. The audit documents are available for you to view and:
- Understand which requirements are covered by our certification;
- Define the requirements you need to cover;
- Show your QSA that all applicable requirements are acknowledged by OVHcloud and are PCI DSS compliant.
OVHcloud can also help you become compliant with the support of its team of experts, as well as the documentation offered:
- Creating a PCI DSS responsibility assignment matrix;
- Special conditions detailing the responsibilities of OVHcloud;
- A specifications template for performing mandatory intrusion tests.