PCI on Disaster Recovery and Backups
June 13th, 2008 by admin Posted in PCI DSSHave you considered disaster recovery for your payment systems? Do you know the only thing that PCI DSS compliance requires you to backup? David Bergert writes about the basics of how to prepare your payment systems in the event of a disaster. But missing is the one critical element required for compliance.
The phrase “disaster recovery” does not appear in the PCI DSS. The phrase “business continuity” only appears once in requirement 12.9.1 as, “[verify that the Incident Response Plan includes a] strategy for business continuity post compromise”. Instead of referencing disaster planning the PCI DSS references backups.
There are a number of PCI DSS requirements relating to backups, such as:
- 9.5 “store media back-ups in a secure location”
- 10.5.3 “Promptly back up audit trail files”
What was that? The answer is that audit logs are the only thing companies must backup for PCI DSS compliance. Now, companies will want to continue business and as a result will backup all of their critical systems and corporate information, but this is outside the scope of PCI compliance which focuses on the security of payment card data.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
1 Trackback(s)
Sorry, comments for this entry are closed at this time.