I am looking for hosting, ec2 is SAS 70 compliant (almost) and I would have gone straight for PCI compliant and tier 4 only but I'm considering SAS 70. What are the differences or similarities?
I am looking for hosting, ec2 is SAS 70 compliant (almost) and I would have gone straight for PCI compliant and tier 4 only but I'm considering SAS 70. What are the differences or similarities?
Disclaimer - I work for a hosting provider that is SAS 70 type II compliant and a PCI DSS validated service provider.
PCI DSS is a specific set of technical requirements that must be met. SAS 70 is an audit of your controls and procedures.
Unless you process credit card transactions, PCI compliance is irrelevant for your purposes. Even if PCI compliance is relevant to you, the SAS 70 audit is more important for the purposes of verifying physical and environmental security of your servers, among other issues. However, keep in mind that a SAS 70 audit is considered a replacement from the organization (the data center in this case) being audited over and over by their clients and their client's auditors. Unlike most organizations, you are going to step foot in the data center and will observe many of the controls yourself. However, you still request a copy of the report and review it. Make sure it is current. Ideally, they have a Type 2 SAS 70 audit versus a Type 1 audit. Verify whether the auditor's opinion letter is unqualified (good) or qualified (means an issue was so significant that it was pulled into the letter), and that the scope seems relevant to the services provided.
It's important to note that you can be SAS70 compliant and NOT be PCI DSS compliant. One does not imply the other. They are different compliance processes with different goals.
A data center most likely will be PCI compliant only in the areas of Physical security. This also happens with some managed hosting soltuions like Rackspace and SunGuard.
They have some controls in place but some audtiting comapnies have issues with some managed hosting providers.
As rorr said: PCI DSS is a specific set of technical requirements that must be met. SAS 70 is an audit of controls and procedures.
Can't comment yet, so in the form of an answer: I want to add that SAS 70 (type 1 or 2) can actually be an audit on anything. (So it could be a financial audit, audit on fire prevention/backup/recovery, US HIPAA etc). What the audit covers is determined by its scope which should be in the contract to hire the auditor (and return in the audit report).
AFAIR, there is a specific audit guideline for PCI DSS controls; you can have an auditor perform an SAS70 type 2 audit against these controls=>result: you can wave the report (assuming it's an unqualified opinion, as mentioned elsewhere) when you get the PCI auditors. But make sure the SAS70 type 2 report covers the right stuff.
It could also very well be that you can get a PCI DSS certification of your hoster which is not in the form of SAS70...
No hosting company is actually PCI-compliant. This sort of compliance is achieved for each customer that requires it, because otherwise it would assume all their customers' servers are set up in such a way that makes them PCI-compliant which won't be a very good idea unless they're only catering to those that need it.
SAS-70 compliance is achieved at the datacenter level usually, and I don't think you'll be able to fully achieve certain compliance levels in a cloud-like environment where many things are shared between multiple users.