Security Audits

uHost has a standing policy of supporting customers in their efforts to be certified in a variety of auditing standards. Examples are ISO, SAS 70, internal data and security audits. uHost has had prior experience in working with customers on their SAS 70 audits and has been a successful partner in customer certification.

SAS 70 Overview

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

SAS 70 is not a pre-determined set of control objectives or control activities that service organizations must achieve. A SAS 70 examination is not a "checklist" audit.

To support our customers in their SAS 70 certification audits, we will provide your auditors the appropriate documentation on uHost Systems’ policies, controls & processes behind our services. This includes uHost Systems functions such as:

• Services, Policies & Procedures
  Documentation of policies, controls & procedures for our services and personnel, such cabinets & power, policies & operating procedures for security guards, engineers and network technicians, etc.
• Datacenter Specifications
  Specifications on the datacenter structure, such as security systems, electrical plant
• Customer Services & Policies
  Documentation of policies & procedures with which all customers must comply, such as security & access, policies, etc.

uHost has a proven track record of successfully supporting its customers in their own SAS 70 certifications, by providing this documentation and a tour of the datacenter facility conducted by our account manager and sales engineer.

PCI Security Standards Overview

PCI (Payment Card Industry) security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. PCI security standards include:

PCI Data Security Standard (DSS)

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.

PIN Entry Device (PED) Security Requirements

PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI SSC. Authorized devices are listed at: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

Payment Application Data Security Standard (PA-DSS)

The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml

There are three ongoing steps for adhering to the PCI DSS:

• Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
• Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
• Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.

Reporting

Reports are the official mechanism by which merchants and other organizations verify compliance with PCI DSS to their respective acquiring financial institutions. Depending on card brand requirements, merchants and service providers may need to submit a SAQ or annual attestations of compliance for on-site assessments (see PCI DSS version 1.2, Appendices D and E for more information). Quarterly submission of a report for network scanning may also be required. Finally, individual card brands may require submission of other documentation.

Information Contained in PCI DSS Reports:

• Summary of Findings (general statement, details of the security assessment)
• Business Information (contact, business description, processor relationships)
• Card Payment Infrastructure (network diagram, transaction flow diagram, POS products used, wireless LANs and/or wireless POS terminals)
• External Relationships (list service providers with whom you share cardholder data, connections to card payment companies, wholly owned entities (national and international) that require compliance with PCI DSS