Question: I own a small MSP service that offers backup services for customers’ servers. Some of our hospitality customers for which we do nothing but this type of backup believe we need to be PCI compliant. All the data is fully encrypted before it is sent across the internet to the data centers, where it remains encrypted. But we have nothing to do with anything else besides the backup and we use vendors who say something like:
“We fully encrypt all data, both on disk (locally on the LAN) and across the network using very strong encryption that meets PCI compliance standards. (see https://secure.efoldering.com/support/kb/1.html ). So we can be part of a PCI compliance solution. Using us as your backup provider of course does not guarantee that the rest of their business will be PCI compliant, but their backups will meet the security standards for PCI compliance.”
My own feeling is that they are asking us the wrong questions, but I am prepared to be wrong? Is there anything we can do to retain this business by addressing our customers’ PCI compliance requirements?
Answer: This would depend on whether or not backups include potential cardholder data. In a service provider scenario, the provider needs to demonstrate compliance if they can affect the security of cardholder data at all.
Two questions come to mind:
1) Do any of your clients’ backups potentially contain cardholder data?
and if so…
2) Does your company have the ability to decrypt the data if you wanted to? In other words, are you encrypting the data, or are your clients encrypting the data prior to sending it to backup?
There’s a strong case for your company to become a validated service provider since it’s possible your services could impact the security of cardholder data. Unfortunately we don’t know enough here to say for sure. I’d recommend you check out the following PCI Compliance Guide article: https://www.pcicomplianceguide.org/pci-compliance-and-the-service-provider/.