More and more web host data centers are pursuing payment card industry (PCI) data security validation. OneNeck IT Solutions, a cloud computing/colo provider/managed services company is the latest to complete the data security standard (DSS) of PCI, completing the 3.0 version and qualifying as a “Level 1” colocation company. Headquartered in Scottsdale, Ariz., OneNeck owns a number of data centers around the country including other locations in Arizona, Iowa, Minnesota and Wisconsin. There are more data centers popping up worldwide each year, but—like OneNeck—many data centers are owned and operated by a few top tier companies. However, there are also local “boutique” data centers that may offer more niche and personalized services.
In order to achieve PCI DSS validation, an incredible amount of standards have to be met. These benchmarks ensure that merchants who handle processing, storage or transmission of their client’s payment information abide by industry best practices for safety. The PCI Security Standards Council designed these regulations. The Council includes heavy hitters such as MasterCard Worldwide, Visa Inc., American Express and Discover Financial. There are currently 12 standards to meet that cover a broad range of topics including: Physical security, policies and procedures, network and systems monitoring, security management, network architecture and software development. Achieving this validation isn’t fast or easy, but it can help dramatically with security while giving clients peace of mind.
Tightening the Guidelines
Previously, PCI DSS was an option—but now it’s a requirement. Any company that outsources payment processing in any way needs to ensure everyone involved is following these regulations. OneNeck is proactive in protecting customers, with the Senior Vice President and CTO of Cloud and Managed Services Clint Harder saying, “Achieving PCI DSS validation is critical to our customers. This validation clearly demonstrates we have the security controls in place and that we are PCI DSS compliant and audit ready. In addition, because our data centers are geographically dispersed, we’re able to provide customers with a variety of highly available options to securely host their PCI DSS environments.”
Of course, not every data center requires or even benefits PCI DSS compliancy. However, there’s a surge of retail-centric colocation data center providers, and these niche data centers likely require validation. There are a few third party organizations that offer assessments, and OneNeck went with BrightLine CPAs & Associates, which is an incorporated global organization that’s been accredited by the Qualified Security Assessor. Post-assessment, OneNeck received a Report on Compliance that verified “full compliance” with current PCI Data Security Standards. If the Standards were to change, OneNeck and other data centers that have received verification may need to “upgrade” and prove their compliance again.
Like many other full service providers, OneNeck specializes in managed services, professional services, cloud and hosting, enterprise-specific cloud services and IT hardware. Boasting over 200,000 square feet of total data center space, including Tier 3 data centers around the country, OneNeck already has plans to open another data center in Colorado—though whether or not it will need PCI DSS compliance has not been announced. A mid-sized company, OneNeck is part of Telephone and Data Systems, and has about 630 employees. Telephone and Data Systems is a Fortune 1000TM company and specializes in TV and voice services, wireless, cable broadband/wireline and hosted/managed services to more than six million clients around the US.
Sticking Your “Neck” Out
There are lessons to be learned from OneNeck’s move, whether for retail data centers or not. Pursuing the best in industry standards and keeping pace with verifications shows customers that you’re serious about security. Many times, especially with shared hosting customers, they’re not quite certain what they should be looking for in a data center. In fact, unless you get into dedicated server territory, it can all kind of look the same. However, there are many factors to consider with security. Validation is one of them, but so are disaster recovery plans and the general location of the data center.
For example, a data center located in a high risk area, whether for burglaries or natural disasters, poses a greater gamble to clients. Choosing a data center in a safer zone, such as Utah, that offers prime customer service is what clients want when trouble starts brewing. Think of validation as one of many means of protecting your clients. However, the big picture is where it really counts.