PCI DSS requirement 10.8 and physical hosting services

One of the now mandatory requirements since 31 January 2018 of the PCI DSS standard is requirement 10.8 which requires service providers to implement a process for the timely detection of failures of critical security controls systems. Historically service providers that just provide a physical hosting service where they provide the physical space for a client to put their own equipment in and the service provider gives physical security, power and internet connection to the empty racks have certified to meeting just requirements 9 and 12 of the PCI DSS and their clients are responsible for all the other requirements. Since the end of January service providers should also be implementing processes where the access control systems are monitored to provide timely detection of failure.

A common failure of CCTV is where the storage of recordings to meet the 3 months requirement (9.1.1) is based on the frequency of triggering of the camera and the resulting clip being saved to disk, the issue occurs when the frequency is higher than expected and the disk space is used quicker than estimated and roll around occurs before the end of the 90 day period with new files overwriting the oldest files such the 90 storage period is not meet causing a failure of the access control system to meet the requirements. A hosting provider can implement a check on CCTV access control systems for the oldest date of recording and ensure this exceeds the storage requirements either programmatically or by physically viewing the oldest clip for each of the cameras.