Managed IT hosting provider Rackspace has released a bundled solution that will help clients achieve PCI compliance. Clients can buy the entire bundle or get the individual solutions piecemeal.
The bundle, known as the PCI Toolbox, consists of standard components such as anti-virus protection, customer network scanning services, firewall services, intrusion detection systems, and log and patch management services.
It also includes Rackspaces’s support team of experienced security professionals, who will modify the Toolbox offerings in line with changing PCI requirements.
“In many cases, customers are left to fend for themselves; we’re putting the pieces together into our compliance framework,” Rackspace security product manager Bret Piatt told InternetNews.com.
The security experts are drawn from two groups. One deals purely with security and ensures the Toolbox “is really good security overall,” and the other handles Rackspace’s internal audits, Piatt said.
Rackspace provides all the compliance tools needed for the infrastructure, such as a secure data center, firewalls, log and patch management and antivirus. However, the customer still has to follow proper application development and security procedures.
“A lot of our customers want to focus on what they feel is the right security for their business, but at the same time they want to be compliant, so they want a partner that will map out what’s needed for compliance in an easy-to-handle manner,” Piatt said.
“Rackspace already had a bunch of different point services that impacted PCI compliance, but customers needed to ask for them, and it was a fishing expedition,” Daniel Golding, vice president and research director at Tier1 Research, told InternetNews.com.
While “a lot of other managed hosting providers” also offer pieces of the PCI puzzle and are internally compliant, Rackspace is the first one that has packaged them into a bundle, Golding said.
However, tools to address the requirements of PCI-DSS 6.6, which became mandatory June 30, are not included in the Rackspace PCI Toolbox.
Rackspace is not offering Web application firewalls, because “a lot of Web application firewalls are immature and hard to deploy, and we’re not sure they’re workable in a hosted production environment right now,” Piatt said.
And it does not want to get into examining clients’ application code because it wants to retain its focus on providing infrastructure solutions.
Rackspace is not alone in its move to offer PCI compliance capabilities — DataPipe, which considers its only competition in the IT managed hosting space to be IBM, offers security well beyond the 12 requirements of PCI-DSS.
“We’ve rewritten our internal organizational policies so they meet or exceed PCI policies,” DataPipe chief security officer Joel Friedman told InternetNews.com.
For instance, DataPipe’s system looks at network traffic and correlates that with event logs, an approach that is “over and above PCI requirements,” Friedman said.
The firm has set up a global management structure in which every login or access is logged and sent to its correlation system to be scanned for attack patterns. If any are found, an e-mail is fired off to the client’s security department.
DataPipe’s contracts spell out to clients which requirements apply to its infrastructure, which to the client and which are shared.
The company has been certified as a Level One service provider by the credit card companies, so its clients don’t have to be audited but can do a self-assessment instead, “which saves them tens of thousands of dollars a year,” Friedman said.
A Level 1 service provider is a VisaNet processor or any payment gateway, which is a category of agent or service provider that stores, processes and transmits cardholder data as part of a payment transaction.
Unlike Rackspace, DataPipe began offering clients Web application firewalls as of June 30, when PCI-DSS 6.6 became mandatory.
However, it won’t examine clients’ source code because of possible legal implications, Friedman said.
DataPipe also offers database encryption services through a third-party cross-platform system, which encrypts data and stores it so that the encryption key is not known by database administrators, thus eliminating a possible source of attacks.
“This package has taken us a very long time to put together; anything that can be done outsourced, we’ve done it,” Friedman said.