PCI Compliant Hosting Frequently Asked Questions

• Are your services different for service providers than for merchants?
• What is the value in using GSI versus Self-Assessment Questionnaire (SAQ) generators?
• How does GSI differ from a Qualified Security Assessor (QSA) or scan vendor?
• What value can be provided by using secure hosting?
• How do I know what level of merchant I am?
• Can GSI help me become compliant?
• What services does GSI offer to help me become compliant?
• Why should I trust GSI?
• As a service provider, will my clients accept GSI as a place to host critical services?
• What are my options for deploying a PCI DSS compliant solution?
• What is a typical deployment timeframe?
• How much of the PCI DSS process am I responsible for versus how much will GSI handle?
• Can I provide my own servers?
• How much can you take off my plate in terms of logging, management, rollouts, application alarms, etc.? Where do my responsibilities begin and end?
• How do I manage change?
• How do I handle security events?
• When will I be notified of security events?
• What logs am I capturing?
• Are my tools protecting me correctly?
• Who can access your card data?

Q. Are your services different for service providers than for merchants?

A. GSI services are based on satisfying the PCI DSS requirements and can be applied to any environment that needs to meet those requirements. back to top ^

Q. What is the value in using GSI versus Self-Assessment Questionnaire (SAQ) generators?

A. GSI provides contracted security management services that facilitate PCI compliance. Scan vendors and SAQ generators do not represent a complete package. back to top ^

Q. How does GSI differ from a Qualified Security Assessor (QSA) or scan vendor?

A. GSI is a service provider that allows a merchant to offload the duties that a QSA would require be accomplished. A QSA assesses the compliance of your systems. GSI facilitates the compliance of your systems. Scan vendors provide a single service to cover a single PCI DSS requirement. GSI provides services that fulfill all IT security controls required by the PCI DSS requirements. back to top ^

Q. What value can be provided by using secure hosting?

A. Engaging a managed service provider for secure hosting has many benefits, including:

• Limits scope of environment by segregating your cardholder environment from corporate
• Improves service quality through dedicated focus on performance and service levels
• Employs industry best practices in terms of equipment and software requirements, as well as reliable vendor selection
• Improves cost management by leveraging existing staff and infrastructure of third party
• Allows for better staff utilization and enables client to focus on core business competencies

back to top ^

Q. How do I know what level of merchant I am?

A. Your level depends on the card brands you accept. Most designations use Visa's guide, which can be found at http://usa.visa.com/merchants/risk_management/cisp_merchants.htmlback to top ^

Q. Can GSI help me become compliant?

A. Absolutely. Engaging with GSI makes the security validation process much simpler and more reliable than it would be on your own. GSI has helped many companies, large and small, meet compliance by facilitating the majority of the technical requirements. While GSI takes over significant portions of the related security work, the fundamental responsibilities (e.g., internal security policies, etc.) of a card data owner remain with you. back to top ^

Q. What services does GSI offer to help me become compliant?

A. GSI offers a comprehensive suite of managed compliant services. We constantly monitor and oversee your systems – everything from creating logs and responding to alerts to patching or updating activities. You will not need to add staff or training when you engage with us.back to top ^

Q. Why should I trust GSI?

A. Complex enterprise data protection is our niche, and we have a strong record of maintaining security compliance. GSI undergoes many PCI assessments and external audits a year, including an on-site assessment for the Level 1 Report on Compliance (ROC), as well as successful completion of SAS70 Type II audits. We know what it takes to achieve and maintain compliance, and how to ensure the ultimate security of our clients' critical data.

Learn more about:

• Solid PCI Compliance Experience »
• Proven Technology »
• Unparalleled ServerHeroes® PCI Hosting Support »

back to top ^

Q. As a service provider, will my clients accept GSI as a place to host critical services?

A. Touting your relationship with GSI can actually enhance your sales process. Our reputation as a premier provider of managed compliant service is unparalleled. And our ability to field complex questions from clients' IT management and external auditors consistently proves valuable in helping demonstrate clients' commitment to providing the utmost confidentiality, integrity and availability of sensitive data.back to top ^

Q. What are my options for deploying a PCI DSS compliant solution?

A. GSI's compliant services can be implemented as physical servers, virtual systems, or a combination of both, even in remote data centers with international locations. The type of implementation is dependent on your application scope and system requirements. If you need data center space, we can provide it, but we can also work with you to plan a compliant services implementation in remote locations. Co-located systems at GSI allow you to leverage your existing capital expenditures while benefiting from a physical security implementation designed to meet and exceed the PCI DSS requirements. back to top ^

Q. What is a typical deployment timeframe?

A. Deployment timeframes can fluctuate based on the size and complexity of the system being implemented. System deployment, which includes GSI's compliant services, typically takes 7-15 business days. back to top ^

Q. How much of the PCI DSS process am I responsible for versus how much will GSI handle?

A. GSI can fulfill all of the IT controls stipulated by the PCI DSS standard. This equates to about 80 percent of the total PCI DSS mandates, with the policy and custom application requirements being the responsibility of the client.

For a detailed list of requirements, please visit our Resource Center and download the GSI/Client PCI DSS Responsibilities Table. back to top ^

Q. Can I provide my own servers?

A. Of course. GSI provides a comprehensive suite of compliant services, independent of the hardware or software in the underlying environment. We also support a variety of platforms and software components. back to top ^

Q. How much can you take off my plate in terms of logging, management, rollouts, application alarms, etc.? Where do my responsibilities begin and end?

A. A common method of describing where our services stop is to think in terms of system and custom application. GSI managed compliance services manage the device from the operating system down, including all changes, patches, logs, security events, access control, etc. As the client, you are responsible for your custom application features, security methods and direct support. However, you may utilize GSI features to assist with custom application management. A good example is change management. You may want to prevent your developers from accessing or deploying to production systems. With GSI's change management, a GSI ServerHeroes® team member performs the deployment steps for new code. back to top ^

Q. How do I manage change?

A. GSI's robust, successful change management system is available to all our clients and can be accomplished easily through our normal technical support channels. Your staff can fully engage GSI to manage all change on your systems, and when assessment time comes, you are assured that all the change management requirements have been met. back to top ^

Q. How do I handle security events?

A. All managed compliance services clients at GSI have built-in security event handling. A robust combination of change control, real-time event alerting (IDS, A/V, FIM), and 24/7 staffing allows GSI to be the first- and second-tier response units on client systems. Additionally, GSI staff can perform full remediation as required. This model frees clients from the day-to-day staffing and expense related to managing significant amounts of security tool output. back to top ^

Q. When will I be notified of security events?

A. GSI truly operates as an extension of your IT staff. Critical security events are engaged by GSI's computer security incident response team (CSIRT) and include plans for client involvement. After an event first goes through our support and security staff, we escalate to you if and when there is an impact to your system, application or clients. Additionally, when you are contacted by us, we will have a remediation plan for you to consider and approve. back to top ^

Q. What logs am I capturing?

A. GSI captures all system logs and routes them to a central logging system where analysis is performed to meet security event collection requirements. back to top ^

Q. Are my tools protecting me correctly?

A. GSI is unique in that we believe tools alone do not make a solution. It requires a powerful combination of people, processes and technology to provide a secure data protection solution. All of GSI's services are backed by a dedicated, expert support team, who perform monthly audits against all our security tools and services to ensure consistent implementation and performance. back to top ^

Q. Who can access your card data?

A. System and administrative level access to card data systems is vigorously restricted, logged and authenticated. Application-level access to card data is controlled principally by the security of the custom software you have deployed. GSI will work with you to ensure strong controls on encryption are in place. back to top ^

Learn more about:

• Solid PCI Compliance Experience »
• Proven Technology »
• Unparalleled ServerHeroes® PCI Hosting Support »

For more information, be sure to visit the GSI Resource Center. You'll get instant access to PCI compliance case studies and other valuable resources.