Credit makes the world go round. PCI Compliance keeps card holder data safe. Build PCI-compliant solutions with CenturyLink IaaS
PCI DSS 3.0 is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit card data. *If any customer of an organization ever pays the merchant directly using a credit or debit card, then PCI-DSS requirements apply*. Non-compliance is a major concern for enterprises, since even a minor infraction can result in a significant penalty. Fines for non compliance can exceed tens or even hundreds of thousands of dollars, so PCI compliance warrants close scrutiny by any organization's IT Security team.
CenturyLink offers a full menu of PCI-DSS-compliant technology solutions and is a listed service provider on the VISA PCI Compliance Directory. Inclusion in this listing is possible because CenturyLink has obtained the following passing Reports On Compliance (ROC):
CenturyLink has obtained a passing Report on Compliance for the physical security controls in certain data centers and as separate ROC for Firewall and NIDs. While CenturyLinks' ROCs and listing on the Visa website is limited, CenturyLink does host many Level-1 and Level-2 merchants, credit card processing companies and other parties who must demonstrate PCI compliance in environments that utilize CenturyLink data center facilities, network infrastructure, and managed hosting and security services. These customers have used third-party assessors (QSAs) to examine their environments hosted at CenturyLink.
Vulnerabilities are continually being discovered by malicious individuals and researchers, and being introduced by new software. CenturyLink’s system components, processes, and custom software are constantly tested and optimized to ensure security controls continue to reflect the changing environment. CenturyLink’s strong cybersecurity policy sets the tone for the entire entity and informs personnel what is expected of them. A core component of CenturyLink's responsibility is to guarantee appropriate restrictions are maintained around physical access to data or systems containing card holder data. Through perpetual training, CenturyLink’s security personnel remain highly aware of the sensitivity of data and their responsibilities for protecting it.
The PCI DSS specifies and elaborates on six major objectives.
The Payment Card Industry Data Security Standard also known as PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
ROC stands for Report on Compliance. It is a report containing the details of an entity’s compliance status and documents the specific parts of the PCI-DSS in scope for the assessment.
Any organization that processes, stores or transmits credit card numbers is subject to PCI DSS requirements. Credit card numbers are known in the payment industry as "primary account numbers" (PANs). This applies to organizations that store PANs in paper form as well as electronic form.
If an organization stores only truncated PANs and does not process or transmit full PANs, it is not subject to PCI DSS. In this context, a truncated PAN means a maximum of the first six and last four digits. There is, however, an exception for Requirement 12.8, which, the council's guidance document explains, has to do with merchants sharing cardholder data with service providers.
Information technology is at the core of compliance with this data security standard. IT professionals deploy, monitor, test and maintain the network components, which support transactions involving cardholder data. Those components can be almost anything attached to the network, including servers, switches, routers, firewalls and other applications.
The PCI Security Standards Council recommends that the parts of the network that are involved with cardholder data be isolated, which makes it possible to rein in the network environment subject to the standard. Otherwise, an organization's entire network can be subject to PCI DSS and, consequently, to the annual assessment.
CenturyLink customers, who are preparing for or going through a PCI audit, can leverage the existing PCI ROC Letter from our PCI auditor as part of their audits.
This means the Customer’s auditor does not need to audit those areas again, they can just leverage the audit conducted. This letter contains the date of the assessment, the scope, responsibility matrix for each in-scope requirement, as well as the result of the assessment.
We are not required to have a PCI ROC. Our Customers can audit us as part of their PCI Audit.
CenturyLink believes in ease of business, it is easier for our customers to demonstrate compliance and to reduce the number and duration of audits for our customers to leverage ROCs for their audits.
Yes. CenturyLink is listed as a Hosting Service Provider on the VISA website.
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.