| y’s computing environments, system, network | | | | access is evaluated, and only those parties who have |
| and data security are no longer features; they are | | | | a documented need-to-access are granted permission |
| requirements. IT infrastructures are under constant | | | | into a PCI compliant environment. Dedicated compliant |
| attack from third-parties ranging from mischievous | | | | zones segregated by robust firewalls and access |
| hackers who bolster their reputations by their | | | | controls are features consistent with PCI compliant |
| accomplishments to criminals who desire to | | | | hosting. |
| misappropriate information for illegal purposes. A | | | | * Implementation — The use of standards and |
| variety of industry guidelines and regulations have been | | | | thorough documentation are fully incorporated during |
| promulgated to assure that enterprises that process, | | | | the implementation phase. Server, firewall and |
| store or transmit personal and financial data do so in a | | | | database configurations are specified during the design |
| prudent manner that will thwart the efforts of the | | | | phase, and followed by PMO staff during |
| offending third parties. | | | | implementation with any change or variance recorded. |
| Enterprises engaged in the healthcare and employee | | | | Actual computing environments mirror the detail design |
| benefit industries were the early adopters of | | | | as specified during the configuration process. |
| heightened system, network and data security through | | | | * Management and Maintenance — Segregation |
| requirements associated with HIPAA in 1996. Since | | | | of operational duties along with detailed and |
| that time, Gramm-Leach-Bliley, Sarbanes-Oxley, 21 | | | | documented change management protocols are |
| CFR Part 11, California’s SB 1386 and AB 1950 | | | | hallmarks of a PCI compliant environment. A PCI |
| and many others have tightened policies and | | | | compliant data center provides the actual and virtual |
| procedures and raised expectations regarding | | | | segregation of personnel necessary to achieve the |
| information security. | | | | desired control, as well as insist that robust change |
| In December 2004, the Payment Card Industry (PCI) | | | | management procedures be followed in order to |
| adopted the most stringent and comprehensive set of | | | | revise, update, and maintain the computing environment. |
| security standards to date — PCI DSS (Data | | | | * Reporting and Review — Numerous oversight |
| Security Standard). PCI DSS provides a guideline to | | | | and auditing tasks occur within a PCI compliant data |
| help organizations that process card payments | | | | center to assure actual operations are consistent with |
| prevent credit card fraud, hacking and various other | | | | specified policies. These reviews range from detail |
| security issues. Companies that process, store or | | | | analysis of server logs to post-audit of equipment |
| transmit credit card numbers or card holder information | | | | documentation. A PCI compliant data center is also |
| must be PCI DSS compliant or risk losing the ability to | | | | available to assist in compliance reviews and |
| process credit card payments. Merchants and Service | | | | third-parties audits that a client may have to undergo. |
| Providers must validate compliance annually with an | | | | WHY CHOOSE GSI as your PCI COMPLIANT DATA |
| audit by a PCI DSS Qualified Security Assessor | | | | CENTER? |
| (QSA). The intentions of PCI DSS are clear — | | | | * Experienced — GSI was the first managed |
| to create an additional level of protection for | | | | hosting provider validated by VISA as a PCI |
| customers by ensuring merchants meet minimum | | | | (previously CISP) compliant service provider. GSI has |
| levels of security when they store, process or transmit | | | | been hosting PCI compliant clients longer than anyone. |
| cardholder data. | | | | * Comprehensive — Many data centers provide |
| WHY UTILIZE A PCI COMPLIANT DATACENTER? | | | | portions of PCI required services, but very few |
| The simple answer is assurance — assurance | | | | address the full requirements of PCI DSS. GSI handles |
| that a computing environment will be designed, | | | | 70% of the objectives and sub-requirements listed in |
| implemented and managed in a state-of-the-art | | | | the PCI DSS, and if the policy requirements (which are |
| manner to protect valuable information to the | | | | normally a client’s responsibility) are extracted, |
| maximum extent possible. | | | | GSI handles 80% of the remaining PCI DSS |
| Specific outcomes that result from an implementing | | | | requirements. |
| PCI DSS are: | | | | * Knowledgeable — Five years of PCI hosting |
| * Policy Formulation and Adherence — PCI DSS | | | | experience coupled with a varied clientele has allowed |
| requires the comprehensive development and | | | | GSI to develop a deep knowledge of data security. |
| documentation of information security policies. Informal | | | | GSI manages multiple server, network and database |
| and undocumented operating practices are identified, | | | | environments in a PCI compliant fashion every day. PCI |
| and policies are established to provide heightened | | | | compliance is integrated into the very fabric of |
| security in every aspect of a computing environment. | | | | GSI’s operations and is not a bolt-on like |
| Ongoing maintenance of these policies is required at | | | | many other hosting providers. Many of GSI’s |
| least annually, and reviews are conducted periodically | | | | personnel attend PCI industry conventions and |
| to assure actual operations align with specified | | | | participate in periodic training sessions on PCI and data |
| objectives. While the primary responsibility for the | | | | security. |
| development and maintenance of these policies | | | | * Capable — The entity that wrote most of the |
| resides with the client, a PCI compliant data center has | | | | PCI DSS requirements has selected GSI to be their |
| valuable expertise that can assist in the creation and | | | | only third-party hosting provider. |
| evaluation of data security policies and procedures. | | | | * Committed — GSI recognizes the importance |
| * Design and Configuration — Systems, | | | | of PCI DSS to clients and clients’ customers, |
| networks and databases are planned and | | | | and expends the effort necessary to assist clients in |
| implemented utilizing the highest of security policies, | | | | obtaining and maintaining PCI compliance. |
| standards and procedures. Internal and external | | | | |