< compliance
CenturyLink IaaS offers foundation for PCI-DSS 3.0 compliance

Hosted and Cloud Services for PCI-DSS 3.0 Compliance

Credit makes the world go round. PCI Compliance keeps card holder data safe. Build PCI-compliant solutions with CenturyLink IaaS

PCI DSS 3.0 is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit card data. *If any customer of an organization ever pays the merchant directly using a credit or debit card, then PCI-DSS requirements apply*. Non-compliance is a major concern for enterprises, since even a minor infraction can result in a significant penalty. Fines for non compliance can exceed tens or even hundreds of thousands of dollars, so PCI compliance warrants close scrutiny by any organization's IT Security team.

CenturyLink offers a full menu of PCI-DSS-compliant technology solutions and is a listed service provider on the VISA PCI Compliance Directory. Inclusion in this listing is possible because CenturyLink has obtained the following passing Reports On Compliance (ROC):

  • Data Center Services (Asia, EMEA and North America): Physical and administrative security controls in the majority of CenturyLink branded data centers.
  • Managed Firewalls and NIDS Services (not location specific): Cisco ASA and Check Point firewalls, and Network Intrusion Detection Systems (NIDS).
  • iQ Private Port (not location specific): MPLS based on WAN platform for customer provisioning and management on the network.
  • Network Integrated Cloud Contact Center Solutions: Hosted Interactive Voice Response and Network Common Area contact center solutions.
  • Merchant Level 1: Hosted Cardholder Data Environment for storage and cardholder data transmission and the customer service representative workstations, which transmit cardholder data.

CenturyLink has obtained a passing Report on Compliance for the physical security controls in certain data centers and as separate ROC for Firewall and NIDs. While CenturyLinks' ROCs and listing on the Visa website is limited, CenturyLink does host many Level-1 and Level-2 merchants, credit card processing companies and other parties who must demonstrate PCI compliance in environments that utilize CenturyLink data center facilities, network infrastructure, and managed hosting and security services. These customers have used third-party assessors (QSAs) to examine their environments hosted at CenturyLink.

Vulnerabilities are continually being discovered by malicious individuals and researchers, and being introduced by new software. CenturyLink’s system components, processes, and custom software are constantly tested and optimized to ensure security controls continue to reflect the changing environment. CenturyLink’s strong cybersecurity policy sets the tone for the entire entity and informs personnel what is expected of them. A core component of CenturyLink's responsibility is to guarantee appropriate restrictions are maintained around physical access to data or systems containing card holder data. Through perpetual training, CenturyLink’s security personnel remain highly aware of the sensitivity of data and their responsibilities for protecting it.

Benefits of PCI Compliance

  • Increased Trust among Potential and Current Customers
  • Increased Security
  • Protection from Significant Liability and Fines
  • Increased Conversion Rates
  • Increased Consumer Confidence
  • Increased Google Ranking

PCI DSS Compliance Objectives

The PCI DSS specifies and elaborates on six major objectives.

  1. A secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
  2. Card holder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers' maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When card holder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet.
  3. Systems must be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which card holder data could be stolen or altered. Patches offered by software and operating system (OS) vendors should be regularly installed to ensure the highest possible level of vulnerability management.
  4. Access to system information and operations must be restricted and controlled. Card holders should not have to provide information to businesses unless that information is necessary to effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Card holder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
  5. Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
  6. Formal information security (IS) policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.

Frequently Asked Questions

What is PCI DSS?

The Payment Card Industry Data Security Standard also known as PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

What is a ROC?

ROC stands for Report on Compliance. It is a report containing the details of an entity’s compliance status and documents the specific parts of the PCI-DSS in scope for the assessment.

Who is affected by PCI DSS?

Any organization that processes, stores or transmits credit card numbers is subject to PCI DSS requirements. Credit card numbers are known in the payment industry as "primary account numbers" (PANs). This applies to organizations that store PANs in paper form as well as electronic form.

If an organization stores only truncated PANs and does not process or transmit full PANs, it is not subject to PCI DSS. In this context, a truncated PAN means a maximum of the first six and last four digits. There is, however, an exception for Requirement 12.8, which, the council's guidance document explains, has to do with merchants sharing cardholder data with service providers.

What is the role of IT in PCI DSS compliance?

Information technology is at the core of compliance with this data security standard. IT professionals deploy, monitor, test and maintain the network components, which support transactions involving cardholder data. Those components can be almost anything attached to the network, including servers, switches, routers, firewalls and other applications.

The PCI Security Standards Council recommends that the parts of the network that are involved with cardholder data be isolated, which makes it possible to rein in the network environment subject to the standard. Otherwise, an organization's entire network can be subject to PCI DSS and, consequently, to the annual assessment.

A CenturyLink Customer is going through a PCI audit, what do we provide them?

CenturyLink customers, who are preparing for or going through a PCI audit, can leverage the existing PCI ROC Letter from our PCI auditor as part of their audits.

This means the Customer’s auditor does not need to audit those areas again, they can just leverage the audit conducted. This letter contains the date of the assessment, the scope, responsibility matrix for each in-scope requirement, as well as the result of the assessment.

CenturyLink required to be PCI compliant?

We are not required to have a PCI ROC. Our Customers can audit us as part of their PCI Audit.

If we are not required to demonstrate PCI compliant, then why do we have ROCs?

CenturyLink believes in ease of business, it is easier for our customers to demonstrate compliance and to reduce the number and duration of audits for our customers to leverage ROCs for their audits.

Is CenturyLink considered a Service Provider under PCI definitions?

Yes. CenturyLink is listed as a Hosting Service Provider on the VISA website.

Data Center Locations
  • Albuquerque, NM (AB3)
  • Atlanta, GA (AT1)
  • Bangalore, India (BLR2)
  • Boston, MA (B01, B02, B03)
  • Burbank, CA (BR1/POP)
  • Chicago, IL (CH2, CH3, CH4/POP)
  • Columbus, OH (CL1)
  • Dallas, TX (DL 1, DL2)
  • Denver, CO (DN1, DN2, DN3)
  • Frankfurt, Germany (FR6)
  • Hong Kong (HK2)
  • Houston, TX (HSPOP)
  • Jersey City, NJ (NJ1)
  • Kansas City, MO (KSPOP)
  • London, United Kingdom (L01, L03, L04, L05, L06)
  • Los Angeles, CA (LA1)
  • Minneapolis, MN (MP1, MP2)
  • Montreal, Canada (MR1)
  • Newark, NJ (NJ5)
  • Orange County, CA (OC2)
  • Phoenix, AZ (PH1, PH2, PHPOP)
  • Piscataway, NJ (NJ3, NJ4)
  • Santa Clara, CA (SC4, SC5, SC8, SC9)
  • Seattle, WA (SE2, SE3, SE4/POP)
  • Singapore (SG2, SGS)
  • St. Louis, MO (SL1)
  • Sterling, VA (DC2, DC3, DC4, DC5, DC6, DC7)
  • Sunnyvale, CA (SN 1, SN2)
  • Tampa, FL (TP1, TPPOP)
  • Tokyo, Japan (TY6)
  • Toronto, Canada (TR1, TR3)
  • Vancouver, Canada (VC1)
  • Washington, DC (DCPOP)
  • Weehauken, NJ (NJ2, NJ2)

View a map of PCI DSS compliant data center locations.

View a Dedicated Cloud Compute architecture for PCI compliance.

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.