The Payment Card Industry Data Security Standards (PCI DSS) establish technical and operational requirements to protect payment cardholder data. PCI DSS Requirement 12.10.1 emphasizes the importance of an incident response strategy and the deployment of a data backup, business continuity, and disaster recovery process in the case of a data breach.
PCI DSS Requirement 9.5.1 specifies that any backup data must be stored securely in an offsite location. These standards are essential considerations when developing a disaster recovery strategy for PCI compliance.
In addition to creating the disaster recovery plan itself, merchants are also responsible for:
- At least once a year, test the disaster recovery plan.
- Identify a specific person who will be available 24/7 to respond to alerts.
- Provide appropriate training to personnel with security breach response responsibilities.
- Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.
- Develop a process to modify and improve the incident response plan based on lessons learned and incorporate industry developments.
You can get help with these PCI compliance issues by having an offsite backup outsourced through a hosting provider. It is also possible to move your disaster recovery plan to the cloud.
If your production environment is cloud-based, it is possible to replicate the entire environment, including network configurations and all servers. This significantly reduces the recovery time from days to a few hours. Cloud-based disaster recovery can cost less than half the production environment.
Does PCI DSS cover disaster recovery systems?
Essentially, PCI DSS is not concerned with disaster recovery. PCI doesn’t care if transactions can be recovered; PCI DSS only cares about whether sensitive authentication data (SAD) and cardholder data (CHD) are secure.
Except in sporadic cases, your active site is also PCI compliant if your production data center is covered. This is because CHD is already stored in the active site, as it must take over immediately if the primary data center fails.
Cold sites are never within the scope of PCI compliance. By definition, a cold site has no equipment other than electrical power, telecommunications terminations, empty racks, HVAC, and physical security. As a result, there is no CHD or any other data storage/processing/transmission in a cold field.
Hot places are always problematic. In almost all these cases, it falls to the QSA to determine whether the SAD is stored, processed, or transmitted using the hot site.
As a result, determining whether a hot site is within PCI compliance can take a significant amount of effort.
But there’s an even more troubling issue with disaster recovery that people don’t think about until it’s too late. If production moves to the DR site for any reason, that DR site is immediately covered by PCI.
When you put production on the DR site, it immediately falls within the scope of PCI. Therefore, if there are PCI compliance issues at the DR site, they should be fixed as soon as possible as the organization is no longer PCI compliant until these are set.
Checklist for PCI DSS Disaster Recovery Requirements
Key considerations in designing a secure and compliant infrastructure depend on encryption, access control, secure data transfer and storage, availability, and flexibility at both the production and DR system layers. If your organization must comply with leading regulatory frameworks such as PCI DSS, both the production and DR systems must meet the criteria.
- Choose a DR solution that provides end-to-end encryption; for example, encryption can be used for data at rest and data in transit. It’s wise to choose a solution that offers out-of-the-box encryption capabilities, so organizations don’t have to spend additional time and effort.
- Establish a well-defined process for managing data encryption keys by data protection compliance guidelines. Implement a logging mechanism to control key usage and data retrieval.
- Implement the data management plan and access control mechanisms to ensure that only authorized personnel can access disaster recovery data.
- Use a DR tool that supports failover audit trails for documentation purposes.
- When selecting DR providers, check the SLAs that will deal with the availability of the disaster recovery solution. If you are using on-premises DR solutions, review the architecture to ensure high availability is included in the solution.
- For flexibility, choose a vendor that can store multiple copies of disaster recovery data in various locations.
- Test and document regularly to ensure flexibility and availability. This applies to all compliance standards, especially PCI DSS, emphasizing confidentiality, integrity, and data availability. It also requires periodic testing and review of contingency plans.
- Cloud storage is a reliable way to comply with PCI DSS’s offsite storage requirements. Data transfer and storage must be secure. In cloud-native environments, data must be replicated and stored in a different region or geography.
- Data recovery solutions should ideally support long-term data retention with inexpensive storage options. Cloud-based DR vendors have an advantage as they take advantage of cheaper cloud storage and offer long-term data storage at meager pay-as-you-go rates.
Every company needs to create a disaster recovery plan. This plan will help your business follow strict security compliance guidelines. However, having a disaster recovery plan is not enough for modern companies.
They also need to make sure they are PCI compliant throughout the entire recovery process. However, you still need to ensure that your plan meets all relevant PCI requirements.