StillSecure's PCI Compliant Managed Service

StillSecure is offering a PCI-specific managed services package, PCI Complete, that secures credit card data processing, policy and process controls, and other security technologies required by the Payment Card Industry Data Security Standard (PCI DSS). Companies can leverage PCI Complete through their own data centers, across the corporate WAN, or in hosted data centers owned by ViaWest. StillSecure says other data center hosting partners will be announced.

StillSecure made a good choice by partnering with a recognized service provider and integrating its PCI program through them rather than creating its own data centers, said John Kindervag, senior analyst at Forrester Research. "There's more assurance that it is going to be done right by partnering with a service who knows how to properly host data--reputable people who have been around a long time," he says.

StillSecure's controls have been validated by audit and compliance firm Coalfire, which provides PCI compliance services, including  qualified security assessor (QSA) audits. ViaWest data centers are certified as compliant for Section 9, which covers physical access to cardholder data, and Section 12, which requires maintaining a security policy governing employees and contractors.

StillSecure's managed security services are implemented through a physical or virtual appliance and covers credit card handling in the companies processing center as well as in remote sites like retail stores, service stations with convenience stores, etc. The service creates a single, PCI-compliant card-processing environment in a hub-and-spoke scenario, with multiple locations feeding card data to a central point through secure connections.

StillSecure says that its service will meet 165 of 176 PCI requirements if it is "deployed in a PCI-compliant or Section 9-compliant facility." The service includes a gap analysis to determine what a company has to do to reach compliance. Some requirements are outside the control of StillSecure and can only be addressed by the credit card processor, such as having the proper anti-virus, password policies, secure coding practices, compliant point-of-sale (PoS) systems and WPA or WPA2 wireless security for all access points. Included in the service is consulting for the customer to satisfy the requirements for which they are responsible. The security controls provided by PCI Complete, combined with the customer's own controls, completes the package.Denver International Airport, a StillSecure customer, is anticipating dramatic growth in its cardholder environment because of a planned airport expansion and fundamental operating changes. The airport is turning to managed services for PCI compliance, and as a government entity, will take part in a required bidding process to acquire a card-processing service.

Currently, the airport's credit card exposure is limited to parking facilities. Denver International segments credit card data on a separate network, including separate desktop systems. Employees who need access to both the enterprise and credit card networks use computers attached to one of the other network. The airlines and various vendors are responsible for their own card handling and compliance, said Brian Monroe, CISO of Denver International.

That will change with the upcoming airport expansion, which will include a highly virtualized environment where the airport will offer hosted services for the various airlines. "Our PCI scope is about to get huge in the next two to three years," said Monroe. "We will host the applications for the airlines, and the applications will forward any credit cards for processing. Serving up dynamic environments means we will own the infrastructure, and Denver International will handle credit card transactions for them."

However, Monroe doesn't want to take on full responsibility in-house for PCI compliance in this expanded environment. "We have the in-house expertise, but managed services make sense from a pure cost perspective," he said.  "It will be more flexible, faster and more responsive to changes with the common use network."

The Coalfire QSA certification lends credibility to StillSecure's claims that PCI Complete helps assure compliance. "It's an audacious statement they are making, and they've done the right thing and gone reputable QSA," said Forrester's Kindervag. "When you talk to QSAs, Coalfire is a name that usually comes up."StillSecure underwent a two-stage certification process, said Rick Dakin, Coalfire president and co-founder. First, Coalfire assessed the design of controls against the industry standards, reviewing the documentation and administrative controls in StillSecure's services and in their guidance to customers. Second, the actual controls were subjected to effectiveness testing to determine if the controls worked and met the PCI standard before Coalfire certified the services offerings.

During the assessment Dakin asked, "If StillSecure provides a control, is there evidence they meet the standard, and secondly if StillSecure did not provide a specific control, is there adequate guidance and instruction in the service offering to the customer to tell them what they need to put in place?"

That latter point--communicating the customer's responsibility to meet those PCI obligations that the provider's technology and processes do not--is crucial. "There are gaps in everybody's solutions," he said. "The difference is that there is specific notification to the users that they have responsibilities in the process."

PCI Complete will be available in October. There will be an initial provisioning fee to implement the service in addition to monthly charges, which will be based on the size of the cardholder environment, including number of devices and bandwidth.