The Most Stringent Physical and Logical Data Center Security Standards for PCI Hosting.
PCI Data Center Overview
OnRamp meets all of the PCI DSS 3.1 requirements for restricting physical access to cardholder data when it is housed in our facilities. OnRamp operates its Data Centers to address the specific requirements relevant to how infrastructure is deployed and sensitive data is protected in such facilities, including PCI DSS Requirements 9.1-9.8 and 9.10 defined below.
PCI DSS Requirements
“Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.”
OnRamp’s Data Centers employ the most stringent physical security measures. Access to OnRamp’s facilities are regulated by security envelopes, with all critical areas requiring two-factor authentication, using a combination of card keys and biometric scanners. To enter the facilities, all visitors must be authenticated in a bullet proof mantrap, a process in which OnRamp personnel match photo ID with records of authorized access lists. All visitors are escorted by a member of the OnRamp NOC staff to their equipment. Once inside our facilities, visitors are monitored at all times by over 30 cameras which stream to hard drives in the NOC. OnRamp maintains at least 90 days of video as part of our external audits and certification processes. And, OnRamp’s Building Management Systems monitor several different critical facilities inputs. All of OnRamp’s infrastructure is located behind cages, requiring an additional layer of two-factor authentication to access.
“Develop procedures to easily distinguish between onsite personnel and visitors, to include:
- Identifying new onsite personnel or visitors (for example, assigning badges)
- Changes to access requirements
- Revoking or terminating onsite personnel and expired visitor identification (such as ID badges)”
OnRamp employs an advanced, electronic visitor management system and has documented processes and procedures for identifying and distinguishing between onsite personnel and visitors. Any visitor to our facilities are authenticated by an authorized OnRamp employee, a process in which OnRamp personnel match photo ID with records of authorized access lists. Once authenticated, visitors are required to wear an OnRamp-issued badge which has a set expiration time. Any change to access requirements is made by OnRamp’s security team.
“Control physical access for onsite personnel to the sensitive areas as follows:
- Access must be authorized and based on individual job function
- Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.”
OnRamp limits physical access to sensitive areas to only authorized personnel with a legitimate business need. When personnel leave the organization, all physical access mechanisms are promptly returned or disabled upon their departure to ensure personnel cannot gain physical access to the facility once their employment has ended.
“Implement procedures to identify and authorize visitors.”
OnRamp has stringent visitor controls to ensure visitors to our facilities are identified as visitors so personnel can monitor their activities and that their access is restricted to just the duration of their legitimate visit. Visitors that are authenticated must surrender their photo ID to the NOC personnel before being granted access to the data center and escorted by a member of the OnRamp personnel to their equipment. All visitors are logged in the visitor management system which maintains a physical audit trail of visitor activity. Visitor badges are returned upon expiry or completion of the visit.
“Physically secure all media.”
Physical security in OnRamp’s data centers is deployed in “security envelopes” with all critical areas including data halls, NOCs and critical systems, accessed only by two-factor authentication.
“Maintain strict control over the internal or external distribution of any kind of media.”
OnRamp tracks all internal media as well as any media that is sent offsite to secure backup facilities.
“Maintain strict control over the storage and accessibility of media.”
OnRamp has a data center infrastructure management system to inventory and classify all media inside of our facilities.
“Destroy media when it is no longer needed for business or legal reasons.”
OnRamp maintains a Systems Development Life Cycle process that governs the acquisition, deployment, maintenance and disposal of equipment exposed to sensitive data. And, we enforce a strict Media Sanitization Policy that is compliant with NIST standards for appropriately rendering storage media unreadable and unrecoverable.
“Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.”
OnRamp maintains documented policies and procedures for interaction with sensitive data and regularly trains all personnel on the procedures to notify customers in the event a security breach occurs with their infrastructure.