Financial Data Hosting for PCI DSS Certification

Financial data hosting for PCI DSS certification

Financial Data Hosting for PCI DSS Certification

Whatever industry you operate in, if you accept credit card payments, you must be fully compliant with PCI Security Council standards. For this reason, OVHcloud has implemented the most advanced security measures in the industry, in order to guarantee the highest level of safety for your payment infrastructures. You can host your solutions at any of our PCI DSS-certified datacentres, then deploy a secure, highly-available cloud infrastructure for your online payment workflows. This way, you offer your customers peace of mind, as they can trust that their financial data is completely safe at all times.

Compliant

Get a technical cloud platform, compliant with the PCI DSS 3.2 standard for payment service providers (PSP) Level 1. With more than 275 compliance and audited requirements, OVHcloud's infrastructure satisfies the most demanding standards for credit card-based payment solutions.

Specialist

Get the most out of your Hosted Private Cloud infrastructure with support with the PCI DSS certification process. 

Secure

Choose your configuration, with our SDDC Hosted Private Cloud packs, with the addition of features designed to meet all PCI DSS requirements, for access control, traceability and data protection, including specific hardware destruction for data storage.

Start building your secure payment infrastructure now

PCI DSS-certified cloud services, with the highest security standards.
Maximum flexibility and the best price/performance ratio, providing the freedom to grow.
Extended access control and unique traceability features.
Dedicated features to secure your payment solution against fraud.

How it works

Step 1 OVHcloud

Start your certification process

PCI DSS compliance applies to every area of a payment solution, and is achieved through the OVHcloud SDDC Hosted Private Cloud infrastructure. All roles and responsibilities regarding compliance are clearly defined in a requirement matrix. Specifically, OVHcloud commits to the operational requirements of the PCI DSS standard for all hardware and software elements of the configurations. Your certification process is then clearly defined and facilitated, based on the nature of your payment solution.

Step 2 OVHcloud

Deploy your OVHcloud Hosted Private Cloud solution

Activate your SDDC Hosted Private Cloud solution for PCI DSS, and start using it right away, thanks to vSphere virtualisation from VMware. Once your payment application is rolled out in the cloud, you are free to scale as you see fit, with multiple options for network, compute and storage. Then, as you evolve, replication and high availability across different regions will enable larger-scale deployments.

Step 3 OVHcloud

Prevent fraud and keep your solution updated

Fraud involving payment card data is highly common. As a result, organisations that handle IT payment systems have very specific requirements in terms of security, reporting and monitoring. In light of this, your Hosted Private Cloud offers an extensive set of features to track and monitor fraudulent access or critical actions in real-time. Make sure your customers' financial data is always 100% secure.

Our partners

Key Features

Security

Manage your access control list (ACL), to maintain complete control and visibility of who has access to your infrastructure, with automated session time-outs for an additional layer of security.

Monitoring

Utilise a range of advanced monitoring features, with an SMS- or token-based validation processes for critical actions, along with detailed traffic analysis and tracking of fraudulent actions.

Reporting

Benefit from comprehensive daily reporting for critical access and actions on your infrastructure, with detailed user and administrator list management.

Traceability

Get a specific traceability process for your entire infrastructure, with an end-of-life hardware destruction process.

Global Data Sentinel

Global Data Sentinel

"The move to cloud computing has meant that a great deal of data has been moved from premises to the cloud. Global Data Sentinel and OVHcloud solutions together can ensure that data can still be tightly managed and audited once it leave the premises – even to the very high-standards we see demanded in upcoming legislation. GDPR, for example, forces organisations to take responsibility not only for their own data security, but also for any other organisations that may access or process the data."

Mark Thompson, Head of Product Development of Global Data Sentinel
Need support or information?
You can request that an OVHcloud advisor call you back, free of charge

PCI DSS

What is the PCI DSS standard?

PCI DSS is a reference source for security requirements designed to ensure the confidentiality of bank cards and credit cards when used in IT systems. The reference source is edited and maintained by the PCI Council, a professional asssocation of credit card companies that includes VISA, Mastercard, American Express, JCB and Discovery.

Every bank that issues cards to its customers holding bank accounts, or collects transactions for its merchant customers, is free to provide a contractual definition of the security requirements that its customers and partners must comply with. PCI DSS standard defines a common security level that covers the vast majority of requirements. The PCI DSS standard has become a benchmark in electronic payment security, and compliance with this standard has become a systematic requirement for parties in online payment systems. Every party in the online payment system hosting chain holds a degree of responsibility in maintaining the platform's overall security. These obligations are contractually transferred from the card brands to all actors involved in the electronic payment platform.

PCI DSS standard officially lists more than 250 controls and security features that need to be set up to process card numbers securely. These controls are divided into six groups:

  • Build and maintain a secure network and system

  • Protect card holders' data

  • Maintain a vulnerability management programme

  • Implement strong access control measures

  • Regularly monitor and test networks

  • Maintain an Information Security Policy

How to be PCI DSS compliant

PCI DSS compliance applies to the entire electronic payment platform, and is complied with by the merchant through its reliance on the PCI DSS-compliant building blocks that belong to its service provider. This means that each party involved in the platform's use complies with the standard's requirements that are relevant to its activities, and demonstrates this compliance to its customers.

In the context of our PCI DSS payment infrastructure, OVHcloud is responsible for the infrastructure's security, whilst you remain responsible for the security of the virtual machines we host, the use of virtual network features, and the application layers deployed on your virtual machines. In this way, PCI DSS compliance is a joint effort to combine your software and system platform's security measures with those of the OVHcloud Hosted Private Cloud infrastructure.

PCI DSS compliance can be certified with an Attestation of Compliance (AoC), drawn up after a self-assessment questionnaire has been completed, or after an audit has been performed by one or several QSA (Qualified Security Assessor) companies.

Your platform's compliance with the PCI DSS standard is a structured process, for which the characteristics and obligations depend on several factors:

  • The number of transactions completed annually
  • Type(s) of bank card(s) accepted
  • Acquiring bank(s)
  • Complexity of the electronic payment infrastructure

Becoming PCI DSS compliant involves approaching the parties concerned, to understand their precise expectations. OVHcloud recommends that you contact your acquiring bank and/or contact a QSA company to assist you with this process.

The OVHcloud platform undergoes annual audits by a QSA company. The audit documents are available for you to review, so that you can:

  • Understand which requirements are covered by our certification
  • Define the requirements you need to cover
  • Show your QSA that all of the applicable requirements are acknowledged by OVHcloud, and are PCI DSS-compliant

OVHcloud can also help you achieve compliance, through the support of its team of experts, as well as the supporting documentation it offers:

  • The creation of a PCI DSS responsibility assignment matrix
  • Special conditions detailing OVHcloud's responsibilities
  • A specifications template for performing the obligatory intrusion tests