OVH Payment Infrastructure Obtains PCI DSS 3.2 Certification

On 23rd June, as a Level 1 payment service provider, OVH once again received its Certificate of Compliance for PCI DSS version 3.2. This Payment Card Industry Data Security Standard (PCI DSS) is one of the most demanding in terms of confidentiality and data protection. The OVH Payment Infrastructure PCI DSS starter pack is compliant with it for the third year in a row.

What Does the PCI DSS Audit at OVH Look Like?

The certificate was renewed after a three-month audit. The OVH teams responsible for this solution were put to the test by auditors, to ensure measures for all 12 of the standard’s security requirements were implemented and fully effective.

Over 2,000 pieces of evidence were supplied to the auditors! At OVH, the audit is carried out as a completely independent project. Managed by the quality team, it involves the many staff members responsible for the Private Cloud solution. The teams were actively involved in the audit, responding to all the auditors’ questions and tests. They were involved throughout the preparation process, during the two stages of the on-site audit and in communication about the evidence provided. The figures are impressive, and show how serious and comprehensive the process was:

• 275 compliance points in the standard
• 209 check points applicable to OVH
• 3-month audit
• 50+ people involved
• 28 interviews with technical teams
• 2 datacentre visits
• 2,000+ pieces of evidence supplied to auditors
• 370-page compliance report

We had two parallel and complementary objectives. The first was to industrialise the auditing process, e.g. collecting evidence, choosing tools for communicating with the auditors, and quickly accommodating recommendations linked to changes in the standard. The second was to prepare ourselves for the launch of the Private Cloud solution in our new datacentres, maintaining the same level of security and compliance wherever the infrastructure is hosted, whether that is in Roubaix, Strasbourg, Beauharnois (Canada), Singapore, Sydney, the UK or Germany.

What is the PCI DSS Standard?

PCI DSS is a set of security requirements aimed at guaranteeing the security of payment card data in the information systems that use this data. It is edited and maintained by the PCI Security Standards Council, a professional group of payment card providers, including VISA, Mastercard, American Express, JCB and Discovery.

Each bank that issues cards to cardholder customers or collects transactions for merchant customers is free to define the security requirements its customers must respect. The PCI DSS standard defines a common security base covering most of the requirements. It has become the benchmark for security, and is now a systematic requirement for payment systems. Each party in the electronic payment system bears part of the responsibility, making it possible to ensure the platform’s overall security. These obligations are contractually transferred from payment card companies to all parties involved in the electronic payment platform.

The PCI DSS standard lists around 275 control points and security measures to implement in order to process payments securely. These control points are divided into six groups:

• Creating and managing a secure network and system
• Protecting cardholder data
• Managing a vulnerability management programme
• Implementing strict measures to control access
• Regular monitoring and testing of networks
• Managing a data security policy

How Can OVH Customers Comply With PCI DSS?

PCI DSS compliance applies to the entire electronic payment platform, while the certification of the OVH Payment Infrastructure only applies to the infrastructures established by OVH. This means that all parties involved in using the platform must respect the standard’s requirements pertaining to their own area of responsibility. They must also ensure their compliance processes complement those of the other parties.

For the OVH Payment Infrastructure starter pack, OVH is responsible for the security of the infrastructure. The customer is responsible for the security of the hosted virtual computers, the use of the virtual network’s features, and the application layers deployed on their virtual machines. Compliance with PCI DSS is achieved through a joint effort to combine the security measures of the application platform, and those of the Private Cloud infrastructure.

Making an electronic payment application comply with the PCI DSS standard is a structured and complex process. It depends on numerous factors, including the annual number of transactions, types of payment card accepted, and complexity of the general infrastructure. One of the jobs of the “acquiring bank”, i.e. the bank that receives payments for the merchant, is to define and communicate the requirements that the merchant must respect.

OVH opted to implement the highest level of PCI DSS compliance for a payment service provider (PSP Level 1), so that our customers can implement electronic payment infrastructures of any size and complexity. OVH also decided to always obtain a Certificate of Compliance for the most up-to-date version of the standard during each audit period.

Contracts and Certificates of Compliance

Each customer’s case is different, but most situations will resemble one of the two following models. Compliance obligations are imposed by the contracts between the two parties. Proof of compliance is given in the form of a Certificate of Compliance.

For a merchant that hosts a payment platform on an OVH infrastructure:

For a payment service provider (PSP) that hosts systems on an OVH infrastructure and whose customers are merchants:

Shared Responsibilities

Determining our customer’s detailed responsibilities is a complex task. A strong understanding of PCI DSS is needed to identify the requirements applicable to a specific case. We recommend that our customers call in a QSA company to help them carry out this analysis.

Conversely, by standardising our offer and clearly dividing the areas of operational responsibilities between OVH and our customers, we are trying to make the sharing of responsibilities as clear as possible. Viewed through the prism of PCI DSS, responsibility is shared as follows:

Managing a vulnerability management programme

PCI DSS Requirement – Condition 1

Install and maintain a firewall to protect cardholder data.

OVH/Customer responsibilities

OVH is responsible for configuring the physical equipment and making network management functions available to customers.

The customer is responsible for configuring the virtual network within the virtual datacentre.

PCI DSS Requirement – Condition 2

Do not use default system passwords and other security parameters defined by the supplier.

OVH/Customer responsibilities

OVH is responsible for the infrastructure equipment (network, hypervisors, servers and databases for the virtualisation infrastructure and service management).

The customer is responsible for the virtual machines and applications hosted in the Private Cloud.

Protecting cardholder data

PCI DSS Requirement – Condition 3

Protect stored cardholder data.

OVH/Customer responsibilities

The customer bears full responsibility for the application architecture.

PCI DSS Requirement – Condition 4

Encrypt transmission of cardholder data on open public networks.

OVH/Customer responsibilities

The customer bears full responsibility for the application architecture.

Managing a vulnerability management programme

PCI DSS Requirement – Condition 5

Protect all systems against malicious software and update antivirus software and programs regularly.

OVH/Customer responsibilities

OVH is responsible for the hypervisors, servers and databases for the virtualisation infrastructure and service management.

The customer is responsible for the virtual machines hosted in the Private Cloud.

PCI DSS Requirement – Condition 6

Develop and manage secure systems and applications.

OVH/Customer responsibilities

OVH is responsible for the management interfaces provided to customers, the robots and service management systems.

The customer is responsible for the applications and scripts executed within the virtual machines hosted in the Private Cloud.

Implementing strict measures to control access

PCI DSS Requirement – Condition 7

Restrict access to cardholder data to the people who need access.

OVH/Customer responsibilities

OVH is responsible for the infrastructure equipment (network, hypervisors, servers and databases for the virtualisation infrastructure and service management).

The customer is responsible for the virtual machines and applications hosted in the Private Cloud.

PCI DSS Requirement – Condition 8

Identify and authenticate access to system components.

OVH/Customer responsibilities

OVH is responsible for the infrastructure equipment (network, hypervisors, servers and databases for the virtualisation infrastructure and service management).

The customer is responsible for the virtual machines and applications hosted in the Private Cloud.

PCI DSS Requirement – Condition 9

Restrict physical access to cardholder data.

OVH/Customer responsibilities

OVH bears full responsibility for the physical hosting of the platform.

Regular monitoring and testing of the networks

PCI DSS Requirement – Condition 10

Monitor and observe all access to network resources and cardholder data.

OVH/Customer responsibilities

OVH is responsible for the infrastructure equipment (network, hypervisors, servers and databases for the virtualisation infrastructure and service management).

The customer is responsible for the virtual machines and applications hosted in the Private Cloud.

PCI DSS Requirement – Condition 11

Test the security processes and systems frequently.

OVH/Customer responsibilities

OVH is responsible for the infrastructure equipment (network, hypervisors, servers and databases for the virtualisation infrastructure and service management).

The customer is responsible for the virtual machines and applications hosted in the Private Cloud.

Managing a policy for data security

PCI DSS Requirement – Condition 12

Maintain a policy that addresses information security for all personnel.

OVH/Customer responsibilities

OVH is responsible for the teams in charge of development, industrialisation, usage and support of the Private Cloud offer. The policy covers all the processes for implementing the service.

The customer’s professional responsibility is limited to the use of the application that processes card data.