PCI DSS Scoping for Colocation Providers: To Include or Not to Include?

Author: Dustin Rich, CISSP, (ISC)2, CISA, ISACA, PCI QSA, PA QSA, MCSE, CCNA, CCA, and Managing Consultant at A-LIGN.

A-LIGN is heavily involved in the colocation industry, performing PCI DSS assessments as well as additional compliance audits to colocation providers throughout the US, as well as internationally. When approached by clients about adhering to PCI DSS requirements, how does an organization decide which PCI DSS requirements should be tested for their system?

Many of the sections within the PCI DSS are related to logical security, which is the responsibility of the customer and not the colocation facility. However, colocation providers who provide physical infrastructure to customer who are required to meet PCI DSS requirements will typically fall under the scope of their customer’s PCI DSS assessment. The scope of that assessment typically falls under the physical security requirements (PCI DSS Requirement 9 – Restrict physical access to cardholder data) and the policy and procedure requirements (PCI DSS Requirement 12 – Maintain a policy that addresses information security for all personnel).

If a colocation facility is only providing physical infrastructure, these two requirement sections of the PCI DSS covers all applicable controls related to physical security of the cardholder data environment.  It should also be noted, that even though these sections are applicable to a colocation facility, not all sub requirements within PCI DSS Requirement 9 and 12 will apply to a colocation facility (for example, PCI DSS requirement 9 includes sub requirements about transfer and distribution of media (9.6) and the physical security of payment terminals (9.9.x) which most often not apply.

For colocation facilities that may provide additional managed services (such as backup services or firewall management) or potentially a helping hands service that could allow the colocation facility to affect the security of the customer’s environment, PCI DSS Requirement 11.1 can be considered. While it is not a requirement for colocation facilities, PCI DSS Requirement 11.1 is a control to detect unauthorized wireless in the cardholder data environment that must be performed by the customer at least quarterly. A colocation facility that includes this control as part of their assessment may benefit their customers who are not able to inspect the facility on a quarterly basis (for example, customers that do not have a local presence).  Otherwise, the customer would need to implement and maintain proper controls for this requirement.

While deciding which requirements are right for your facility can be a stressful process, A-LIGN can be a partner to you. We have had extensive experience working within the colocation compliance space and our QSA’s will work directly with your organization to help determine all the individual sub requirements that will be applicable to your specific assessment.

If you have questions regarding PCI DSS, please contact A-LIGN at [email protected] or 1-888-702-5446.