Knowledge Base  /  Dedicated Cloud Compute  /  General
Knowledge Base  /  Dedicated Cloud Compute  /  General

Dedicated Cloud Compute - PCI Architecture


Article Code: kb/215

Security and compliance are big issues in the world of data management and storage, especially as more and more governing agencies set up rules to protect the security of that data. The Payment Card Industry (PCI) has set rules around customer data and the required physical, network, and process security measures for protecting it.

Dedicated Cloud Compute (DCC) has a recommended architecture plan for PCI compliance which ensures that many of the standards for security are met. Below is a table that explains each requirement, along with a list of Lumen products that can contribute to meeting the standard for each requirement.

Requirement Description Lumen Products & Services Summary of Customer Responsibilities

Requirements 1.1 – 1.5

Install and maintain a firewall configuration to protect cardholder data.

  • Lumen Dedicated Managed Firewall with Intrusion Detection/Prevention (IDS/IPS) to secure the Cardholder Data Environment (CDE) perimeter for all inbound/outbound traffic.
  • Lumen Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
  • Separate, “interior” firewalls or firewall “contexts” are implemented when load balancers are leveraged to balance multiple VLANs.
  • All inter-VLAN traffic is required to transit through a firewall.
  • All firewall traffic is logged for future review (i.e. LogMgt service).
The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 2.1 – 2.6

Eliminate the use of vendor-supplied defaults for systems passwords and other security parameters.

Lumen installation and operational procedures require all ports, passwords, and security parameters be changed and locked down. The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 3.1 – 3.7

Cardholder protection methods such as encryption, truncation, masking, and hashing.

Lumen Vormetric Data Encryption to encrypt “data at rest”, with customer only key access.
  • Encrypt all cardholder “data at rest.”
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.
  • The customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements 4.1 – 4.3

Encrypt transmission of cardholder data across open, public networks.

Lumen Managed VPN Services for secure access to and from the Cardholder Data Environment (CDE).
  • Encrypt all cardholder “data at rest.”
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.
  • The customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements Requirements 5.1 – 5.4

Protect all systems against malware and regularly update anti-virus software or programs.

All Windows based operating systems are protected with anti-virus software. The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 6.1 – 6.7

Develop and maintain secure systems and applications.

  • Lumen Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.
  • Lumen Managed Intrusion Prevention/Detection Service.
  • Lumen Dedicated, Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
  • Lumen maintains all systems and applications at current patch levels.
The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 7.1 – 7.3

Restrict access to cardholder data by business need to know.

  • Lumen Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • Lumen operations procedures maintain access restrictions of all managed system devices.
  • Lumen administrative access permissions use individual named login credentials and on a need only basis.
  • Lumen monitors and logs all authorized operational access and actions by Lumen personnel.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 8.1 – 8.8

Identify and authenticate access to system components.

  • Lumen Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • Lumen operations procedures maintain access restrictions of all managed system devices.
  • Lumen administrative access permissions use individual named login credentials and on a need only basis.
  • Lumen monitors and logs all authorized operational access and actions by Lumen personnel.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 9.1 – 9.10

Restrict physical access to cardholder data.

  • All systems are installed in a locked room or cage, with authorized / authenticated personnel access only.
  • All entry/exit activity is logged and maintained for audit purposes.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 10.1 – 10.8

Track and monitor all access to network resources and cardholder data.

  • Lumen Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • Lumen operations procedures maintain access restrictions of all managed network devices.
  • Lumen monitors, authorizes, and logs all operational access and actions by personnel.
  • Ensure access and activities to network sources and cardholder data by is tracked and monitored.
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 11.1 – 11.6

Regularly test security systems and processes.

  • Lumen Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.
  • Lumen Managed Intrusion Prevention/Detection Service.
  • Lumen Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

Requirements 12.1 – 12.10

Maintain a policy that addresses information security for all personnel.

  • Lumen maintains a corporate data security policy.
  • Lumen requires and tracks annual training for all its personnel.
  • Maintain a security policy and train personnel annually.
  • The customer is responsible for meeting overall compliance standards, regardless of Lumen services purchased.

This matrix highlights the Lumen Products and Services recommended for helping customers achieve PCI-compliance when implementing a DCC solution. The Lumen Products and Services services specified are implemented at an additional cost. The customer may elect to use any or all of the recommendations. The customer responsibilities shown in the matrix are summarized for the purpose of this document. Additional actions may be required to achieve overall PCI compliance.