Knowledge Base  /  Dedicated Cloud Compute  /  General
Knowledge Base  /  Dedicated Cloud Compute  /  General

Dedicated Cloud Compute - PCI Architecture

Security and compliance are big issues in the world of data management and storage, especially as more and more governing agencies set up rules to protect the security of that data. The Payment Card Industry (PCI) has set rules around customer data and the required physical, network, and process security measures for protecting it.

Dedicated Cloud Compute (DCC) has a recommended architecture plan for PCI compliance which ensures that many of the standards for security are met. Below is a table that explains each requirement, along with a list of CenturyLink products that can contribute to meeting the standard for each requirement.

Requirement Description CenturyLink Products & Services Summary of Customer Responsibilities

Requirements 1.1 – 1.5

Install and maintain a firewall configuration to protect cardholder data.

  • CenturyLink Dedicated Managed Firewall with Intrusion Detection/Prevention (IDS/IPS) to secure the Cardholder Data Environment (CDE) perimeter for all inbound/outbound traffic.
  • CenturyLink Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
  • Separate, “interior” firewalls or firewall “contexts” are implemented when load balancers are leveraged to balance multiple VLANs.
  • All inter-VLAN traffic is required to transit through a firewall.
  • All firewall traffic is logged for future review (i.e. LogMgt service).
The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 2.1 – 2.6

Eliminate the use of vendor-supplied defaults for systems passwords and other security parameters.

CenturyLink installation and operational procedures require all ports, passwords, and security parameters be changed and locked down. The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 3.1 – 3.7

Cardholder protection methods such as encryption, truncation, masking, and hashing.

CenturyLink Vormetric Data Encryption to encrypt “data at rest”, with customer only key access.
  • Encrypt all cardholder “data at rest.”
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.
  • The customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements 4.1 – 4.3

Encrypt transmission of cardholder data across open, public networks.

CenturyLink Managed VPN Services for secure access to and from the Cardholder Data Environment (CDE).
  • Encrypt all cardholder “data at rest.”
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.
  • The customer is responsible for use of secure encrypted transmission sessions of all cardholder data.

Requirements Requirements 5.1 – 5.4

Protect all systems against malware and regularly update anti-virus software or programs.

All Windows based operating systems are protected with anti-virus software. The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 6.1 – 6.7

Develop and maintain secure systems and applications.

  • CenturyLink Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.
  • CenturyLink Managed Intrusion Prevention/Detection Service.
  • CenturyLink Dedicated, Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
  • CenturyLink maintains all systems and applications at current patch levels.
The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 7.1 – 7.3

Restrict access to cardholder data by business need to know.

  • CenturyLink Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • CenturyLink operations procedures maintain access restrictions of all managed system devices.
  • CenturyLink administrative access permissions use individual named login credentials and on a need only basis.
  • CenturyLink monitors and logs all authorized operational access and actions by CenturyLink personnel.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 8.1 – 8.8

Identify and authenticate access to system components.

  • CenturyLink Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • CenturyLink operations procedures maintain access restrictions of all managed system devices.
  • CenturyLink administrative access permissions use individual named login credentials and on a need only basis.
  • CenturyLink monitors and logs all authorized operational access and actions by CenturyLink personnel.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 9.1 – 9.10

Restrict physical access to cardholder data.

  • All systems are installed in a locked room or cage, with authorized / authenticated personnel access only.
  • All entry/exit activity is logged and maintained for audit purposes.
  • Encrypt all cardholder “data at rest.”
  • Log admin actions and restrict access to systems with cardholder data.
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 10.1 – 10.8

Track and monitor all access to network resources and cardholder data.

  • CenturyLink Log Management Service (Log Logic) for log auditing of security events, anomalies, and suspicious activities.
  • CenturyLink operations procedures maintain access restrictions of all managed network devices.
  • CenturyLink monitors, authorizes, and logs all operational access and actions by personnel.
  • Ensure access and activities to network sources and cardholder data by is tracked and monitored.
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 11.1 – 11.6

Regularly test security systems and processes.

  • CenturyLink Managed Threat Management Security Scanning and Penetration Testing Service, which continuously scans for network and server vulnerabilities.
  • CenturyLink Managed Intrusion Prevention/Detection Service.
  • CenturyLink Dedicated Managed Web Application Firewall to inspect and control application specific data, in order to confirm legitimate transactions.
The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

Requirements 12.1 – 12.10

Maintain a policy that addresses information security for all personnel.

  • CenturyLink maintains a corporate data security policy.
  • CenturyLink requires and tracks annual training for all its personnel.
  • Maintain a security policy and train personnel annually.
  • The customer is responsible for meeting overall compliance standards, regardless of CenturyLink services purchased.

This matrix highlights the CenturyLink Products and Services recommended for helping customers achieve PCI-compliance when implementing a DCC solution. The CenturyLink Products and Services services specified are implemented at an additional cost. The customer may elect to use any or all of the recommendations. The customer responsibilities shown in the matrix are summarized for the purpose of this document. Additional actions may be required to achieve overall PCI compliance.