StillSecure made a good choice by partnering with a recognized service provider and integrating its PCI program through them rather than creating its own data centers, said John Kindervag, senior analyst at Forrester Research. "There's more assurance that it is going to be done right by partnering with a service who knows how to properly host data--reputable people who have been around a long time," he says.
StillSecure's controls have been validated by audit and compliance firm Coalfire, which provides PCI compliance services, including qualified security assessor (QSA) audits. ViaWest data centers are certified as compliant for Section 9, which covers physical access to cardholder data, and Section 12, which requires maintaining a security policy governing employees and contractors.
StillSecure's managed security services are implemented through a physical or virtual appliance and covers credit card handling in the companies processing center as well as in remote sites like retail stores, service stations with convenience stores, etc. The service creates a single, PCI-compliant card-processing environment in a hub-and-spoke scenario, with multiple locations feeding card data to a central point through secure connections.
StillSecure says that its service will meet 165 of 176 PCI requirements if it is "deployed in a PCI-compliant or Section 9-compliant facility." The service includes a gap analysis to determine what a company has to do to reach compliance. Some requirements are outside the control of StillSecure and can only be addressed by the credit card processor, such as having the proper anti-virus, password policies, secure coding practices, compliant point-of-sale (PoS) systems and WPA or WPA2 wireless security for all access points. Included in the service is consulting for the customer to satisfy the requirements for which they are responsible. The security controls provided by PCI Complete, combined with the customer's own controls, completes the package.