So, you want to operate your own data centre?
Bernard Foot, Strategy Analyst at MYHSM, the global provider of Payment HSMs as a Service, looks at the possible barriers to setting up your own data centre ahead of operating in the payments space.
If you are going to build a data centre to handle activities such as card issuance and payment transaction processing, then that data centre will need to meet the requirements of one or more Payment Card Industry (PCI) security standards.
PCI Data Security Standard (DSS) is applicable to data centres that process or handle cardholder data (in particular, the Primary Account Number – PAN), such as those involved in card issuance or processing transactions. It should be noted that there are other PCI standards that separately address software production and specific applications such as card production, P2PE, and tokenisation.
PCI DSS defines requirements relating to the design of the data centre and its networking. This is not about enabling the data centre to survive fire, flood or earthquake – it is all about protecting cardholder data in a working data centre.
Putting procedures in place
PCI DSS requires procedures to be implemented to approve, test, configure, maintain, review, and document systems and components. Roles and responsibilities need to be assigned and documented and change control procedures need to be put in place.
Network traffic must be limited and connections between trusted and untrusted networks restricted, with demilitarized zones (DMZs) set up. Measures to prevent IP address spoofing also need to be implemented, while any unnecessary functionality must be removed, and administrator access controlled and encrypted.
Cardholder data must be protected by strong encryption when being transmitted using networks such as the internet, WiFi, and GSM, and there are requirements controlling the storage of cardholder data on physical media.
Adequate anti-malware protection must be deployed, tested, reviewed, and maintained. Processes must be in place to ensure continual vulnerability assessment and scans, to perform penetration testing, and to review, identify, and manage security events and incidents.
As well as all this, development/test and production environments must be segregated.
Key management is one of the major considerations for PCI DSS compliance, with requirements focussed on strength and encryption of keys, and the use of devices such as Payment HSMs. Procedures to generate, store, distribute keys and manage key lifecycles need to be designed, documented, and audited. These procedures will require the implementation of split knowledge (e.g. key components controlled by different people) and dual control (i.e. multiple people required to complete an activity).
The roles and privileges of individuals accessing the systems need to be defined, documented, controlled, maintained, and audited. Passwords must meet certain standards and be refreshed frequently, and multi-factor authentication used for administrator access. Physical access to the system must be limited according to roles, using technologies such as access controls and CCTV. The whole security policy must be published and maintained, with annual risk assessments and incident response plan reviews.
So, now you’ve done all of this and built yourself a data centre that is allowed to handle Primary Account Numbers (PANs). But if you want to process transactions, you are also going to need to comply with the PCI PIN Security requirements. This is also going to affect your data centre.
The PCI PIN standard requires the use of Payment HSMs for functions such as key management. You need to ensure that there is a chain of custody process to manage, under dual control, the lifecycle of your HSMs from receipt, through deployment and operation, to end-of-life.
Your Payment HSMs must have appropriate certifications, and be configured and maintained in a PCI PIN-compliant manner. This will ensure requirements such as those relating to key generation, key schemes, key strengths, key wrapping in key blocks, key separation, and PIN Block formats are met. Payment HSMs must be inspected for tampering each time a privileged function such as key forming is performed, and continually updated to the manufacturer’s current security releases.
Processes for PCI PIN
Procedures must be designed, documented, and audited to ensure that your staff interact appropriately with cardholders, do not disclose keys or key components, and perform all key management activities in an approved, secure manner. There must also be procedures in place to detect and manage security events, such as compromised keys. As with PCI DSS compliance, these procedures, roles and responsibilities must be documented, recorded, regularly reviewed, and audited.
Many PCI PIN requirements relate to the forming of keys (such as Key Transport Keys) from clear-text components. Dual control and split knowledge is required, and only authorised individuals may be present during sensitive activities. It must not be possible to use cameras (e.g. CCTV, mobile phones) or electronic capture devices to observe clear-text key components. Standard computer devices with keyboards cannot be used to form the keys.
The standard also defines how clear-text components can be generated, printed, packaged, transmitted, and ultimately destroyed. Each key component or other sensitive key material must be stored in its own safe.
Let someone else take the strain
It’s difficult to argue that any of these requirements are unnecessary, but it does mean that building and operating a data centre can be daunting, even for major institutions, and may feel impossible for fintechs or start-ups.
That’s why we are seeing the move away from operating on-premise data centres into the cloud: major providers like Equinix offer data centres which are already PCI DSS-approved. And specialised service providers like MYHSM take care of other requirements such as PCI PIN.