Dedicated Cloud Compute PCI Architecture

Keeping compliance requirements for a system up-to-date can be hard and time-consuming—HIPAA, PCI, European Union, etc. all have their own standards to follow for data transmission and storage. It can take a great deal of time and effort to ensure that your environment complies with these standards. The Payment Card Industry (PCI) put out standards for security and technology to keep customer data stored both in the cloud and in physical hardware components safe. Being PCI-compliant means your company can do business with the assurance that all data is secure to the standards of the PCI. Dedicated Cloud Compute (DCC) has many architecture solutions that conform to PCI compliance.


Recommended CenturyLink Products and Services

This matrix highlights the CenturyLink Product and services recommended for helping customers achieve PCI-compliance when implementing a DCC solution.

Requirement/Description CTL Reccomended Products and Services Summary of Customer Responsibilites

Requirements 1.1 – 1.5

Install and maintain a firewall configuration to protect cardholder data.

CTL Dedicated Managed Firewall with Intrusion Detection/Prevention (IDS/IPS) to secure the Cardholder Data Environment (CDE) perimeter for all inbound/outbound traffic.

CTL Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.

Separate, “interior” firewalls or firewall “contexts” are implemented when load balancers are leveraged to balance multiple VLANs.

All inter-VLAN traffic is required to transit through a firewall.

All firewall traffic is logged for future review (i.e. LogMgt service).

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 2.1 – 2.6

Eliminate the use of vendor-supplied defaults for systems passwords and other security parameters.

CTL installation and operational procedures require all ports, passwords, and security parameters be changed and locked down.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 3.1 – 3.7

Cardholder protection methods such as encryption, truncation, masking, and hashing.

CTL Vormetric Data Encryption to encrypt “data at rest”, with customer only key access.

Encrypt all cardholder “data at rest.”

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements 4.1 – 4.3

Encrypt transmission of cardholder data across open, public networks.

CTL Managed VPN Services for secure access to and from the Cardholder Data Environment (CDE).

Encrypt all cardholder “data at rest.”

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements Requirements 5.1 – 5.4

Protect all systems against malware and regularly update anti-virus software or programs.

All Windows based operating systems are protected with anti-virus software.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 6.1 – 6.7

Develop and maintain secure systems and applications.

CTL Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.

CTL Managed Intrusion Prevention/Detection Service.

CTL Dedicated, Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.

CTL maintains all systems and applications at current patch levels.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 7.1 – 7.3

Restrict access to cardholder data by business need to know.

CTL Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.

CTL operations procedures maintain access restrictions of all managed system devices.

CTL administrative access permissions use individual named login credentials and on a need only basis.

CTL monitors and logs all authorized operational access and actions by CTL personnel.

Encrypt all cardholder “data at rest.”

Log admin actions and restrict access to systems with cardholder data.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 8.1 – 8.8

Identify and authenticate access to system components.

CTL Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.

CTL operations procedures maintain access restrictions of all managed system devices.

CTL administrative access permissions use individual named login credentials and on a need only basis.

CTL monitors and logs all authorized operational access and actions by CTL personnel.

Encrypt all cardholder “data at rest.”

Log admin actions and restrict access to systems with cardholder data.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 9.1 – 9.10

Restrict physical access to cardholder data.

All systems are installed in a locked room or cage, with authorized / authenticated personnel access only.

All entry/exit activity is logged and maintained for audit purposes.

Encrypt all cardholder “data at rest.”

Log admin actions and restrict access to systems with cardholder data.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 10.1 – 10.8

Track and monitor all access to network resources and cardholder data.

CTL Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.

CTL operations procedures maintain access restrictions of all managed network devices.

CTL monitors, authorizes, and logs all operational access and actions by personnel.

Ensure access and activities to network sources and cardholder data by is tracked and monitored.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 11.1 – 11.6

Regularly test security systems and processes.

CTL Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.

CTL Managed Intrusion Prevention/Detection Service.

CTL Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

Requirements 12.1 – 12.10

Maintain a policy that addresses information security for all personnel.

CTL maintains a corporate data security policy.

CTL requires and tracks annual training for all its personnel.

Maintain a security policy and train personnel annually.

Customer is responsible for meeting overall compliance standards, regardless of CTL services purchased.

The CTL Products and Services services specified are implemented at an additional cost, and the customer may elect to use any or all of the recommendations. The customer responsibilities shown in the matrix are summarized for the purpose of this document. Additional actions may be required to achieve overall PCI compliance.