FAQ about PCI DSS Level 1 Compliance

In general, what is PCI-DSS certification?

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants and service providers) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to:

• Build and maintain a secure hardware network
• Develop and maintain secure software systems and applications
• Protect cardholder data
  • Install and maintain a firewall configuration to protect cardholder data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Restrict access to cardholder data by business need to know
  • Restrict physical access to cardholder data
• Implement strong security measures
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Use and regularly update anti-virus software
  • Assign a unique ID to each person with computer access
• Regularly test and monitor networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
• Maintain a policy that addresses information security

All organizations processing credit card information, regardless of their deployment model, are required to be certified. For larger merchants (Merchant Level 1 is the largest type; Joyent is Level 1), validation of by independent and approved reviewer is required. A PCI Qualified Security Assessor (QSA) is authorized to perform an independent assessment and certify a vendor.

In general, what is a PCI Validated Service Provider?

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. They may include shared hosting environments in which cardholder data may be stored. Certified credit card merchants must use service providers that are compliant with the PCI Data Security Standard (DSS). A validated service provider is one that has undergone an audit by an independent QSA and is found to be in conformity with the PCI security standards outlined in the latest version of the Data Security Standard published by PCI. Joyent is a PCI service provider for scenarios in which a merchant processes, stores, and/or transmits credit card data on the Joyent infrastructure.

Is Joyent now PCI certified?

The Joyent core infrastructure and services listed below are PCI DSS 2.0 compliant. This compliance has been validated by an authorized independent Qualified Security Assessor.

PCI “certification” is a term reserved for those merchants who require certification to process credit card transactions. Joyent, as a service provider, does not directly manage a cardholder data environment (and therefore, unlike merchants, does not require certification). Joyent provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant. Achieving PCI DSS 2.0 Validated Service Provider status for Joyent helps our customers obtain their own PCI certification.

Service provider levels are defined as:

• Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually • Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually

Joyent has been validated as a Level 1 Service provider by an Independent Qualified Security Assessor (QSA).

What Joyent product offerings support storage, processing, or transmission of credit card data?

Services that support the processing, storage, and transmission of credit card data by a merchant or service provider have been validated as being compliant with PCI standards. These services include:

• The Joyent Cloud virtual hosting infrastructure including the Joyent Cloud Customer Web Management Console and Cloud API
• Customer identity and access management to the Joyent Cloud
• The underlying physical infrastructure and the Joyent Cloud Administration Environment

The scope of the Joyent Cloud PCI compliance for the services defined above applies to all Joyent Cloud data center locations.

What does this mean to me as a PCI merchant or service provider?

Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to Joyent can simplify your own PCI compliance by relying on our validated service provider status. If your QSA currently needs additional supporting information, please contact us.

What does this mean to me as a non-PCI merchant customer?

Our PCI compliance further demonstrates our commitment to information security at every level. Compliance with the DSS standard, validated by an independent third-party audit, confirms that our security management program is comprehensive and follows leading practices. This validation provides more clarity and assurance for customers evaluating the breadth and strength of our security practices.

Can I rely on the results of the Joyent PCI Report on Compliance or will additional testing be required to be fully compliant?

All merchants manage their own PCI certification. For the portion of the PCI cardholder environment deployed in Joyent, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements, including how you manage the cardholder environment that you host with Joyent.

How do customers understand which PCI controls they are responsible for?

For customers pursuing PCI certification, upon request, Joyent will provide the authoritative QSA’s AOC document. The AOC is a simple high-level attestation of compliance with a description of the business and scope.

Does Joyent rely on their SOC 1 report (formerly SAS 70) to demonstrate PCI compliance?

No. Joyent conducts PCI compliance assessments separately from other compliance initiatives. PCI assessors are not required to rely on Service Organization Control (SOC 1) reports to complete their certification evaluation or testing; Joyent can provide formal PCI documentation upon request.

Does the PCI standard require single-tenant environments in order to be compliant?

No. The Joyent environment is a virtualized, multi-tenant environment. Joyent has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment.

Is there a special PCI compliant environment I need to specify when bringing up servers or uploading objects to store?

No. The entire Joyent Public Cloud infrastructure is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI compliant environment, globally.

Is the PCI DSS standard public?

Yes. You can download the standard directly from the PCI Security Standards Council.