PCI Compliant Hosting: Compare Hosting
Oops! No Hosting Plans Match Your Search
You've selected a combination of features that none of the web hosts we profile offer. We suggest you remove your last filter or reset & start again.
Ask Our Experts
Need help with your hosting? Tell us exactly what you are looking for and we’ll do our very best to help. Please allow one working day for a response.
Please fill in all fields.
Thanks! Your request has been sent. We'll reply within 24 hours.
Recommended Web Host
What Is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed and enforced by the Payment Card Industry Security Standards Council (PCI-SSC). Forged through a coalition of the major credit and debit card issuing companies, these standards have been put in place to reduce credit card fraud and to ensure the secure processing, storage, and transmission of cardholder data by online merchants.
The PCI standards apply to all ecommerce businesses, regardless of size or sales volume, and failure to remain compliant with PCI standards can result in fines, increased card processing fees, or suspension of credit card processing privileges.
Achieving PCI Compliance
Responsibility for achieving and maintaining PCI compliance is shared equally by merchants, web developers, and web-hosting service providers. Each has a critical role to play in PCI compliance, though ultimately it falls to the merchant to ensure that their website and web-hosting provider meets the approved industry standards.
In order to achieve PCI compliance businesses must undergo a rigorous vetting process. This consists of a quarterly automated scan of their website and hosted servers by an authorized scanning vendor. It also includes an annual self assessment questionnaire as prepared by the PCI Security Standards Council.
According to the PCI Security Standards Council there are 12 requirements (PDF) that must be met in order to achieve PCI compliance. These can be broken down into six basic categories or security goals. Some of these requirements are the responsibility web-hosting providers, while others are the responsibility of merchants and their web developers and site designers. However, in the final analysis it always falls to the merchant to ensure that their hosting service, website developer, and third party software vendors are PCI compliant.
The goals and requirements necessary to achieve PCI compliance include the following:
Building and Maintaining a Secure Network — this is largely the responsibility of the web-hosting provider, and addresses two key security issues:
- Installation and maintenance of a firewall in order to create a secure private network
- Creating, maintaining, and updating system passwords that meet or exceed industry standards.
Protecting Cardholder Data — this is a shared responsibility, though the web-hosting provider should be at the forefront of the secured storage and transmission of all sensitive data. The protection of cardholder data addresses the following points:
- Web-hosting providers must utilize a secure data protection model that combines multiple layers of physical and virtual defense procedures that include restricting access to servers and datacenters as well as enforced authentication of passwords and authorization protocols
- Cardholder data, including validation codes and PIN numbers, must be encrypted when transmitted over any open or public network.
Maintaining a Vulnerability Management Program — this applies primarily to web-hosting service providers, though attention to security vulnerabilities should also command the attention of merchants and their web development team. The PCI-SSC outlines two basic requirements necessary to meet this securely goal:
- Anti-virus software must be regularly updated, either by the merchant's IT team if their servers are self-managed or by the hosting provider if data is being housed or processed on outsourced or managed servers
- Web-hosting service providers are expected to routinely monitor and update their systems to combat newly identified security vulnerabilities.
Implementing Strong Access Control Measures — this is one aspect of PCI compliance that is largely the responsibility of the business owner and their web development team as it addresses data security on a more localized level.
- Restrict access to cardholder data to authorized personnel only;
- Assign unique IDs to staff members with access to sensitive data using best practices for password encryption, authentication, and log-in limits;
- Restrict physical access to cardholder data (this primarily applies to web-hosting providers, which should limit on-site access to their datacenters to authorized personnel only.
Regularly Monitor and Test Networks — this is a shared responsibility between web-hosting providers and the merchant's web development team. Routine monitoring and testing is necessary to verify and maintain network security.
- Access to network resources and cardholder data should be regularly monitored for possible security breaches or vulnerabilities. Logging systems should be put in place to track user activity and access to stored archives
- Web-hosting service providers should routinely test and monitor security systems and processes to ensure the continued safety of sensitive data.
Maintaining an Information Security Policy — this applies to both web-hosting services and web developers, both of whom should have well defined security policies in place that outline operational security procedures, acceptable uses of technology, basic administrative tasks and safeguards, and detailed risk analysis data.
Choosing a PCI Compliant Hosting Service
Choosing a PCI compliant web-hosting service can often be a challenging proposition. While some web-hosting providers clearly advertise PCI compliance as a marketable feature, many web-hosting providers are less forthcoming.
It is often necessary for merchants to contact potential hosting firms directly in order verify if PCI compliant hosting plans are available, and if they meet their business' operational and budgetary demands. Smaller business operations, particularly those relying on budget priced shared hosting plans, may find it necessary to partner with a third-party payment gateway service (such as PayPal) in order to achieve or maintain PCI compliance as most shared hosting plans do not deliver the heightened security features necessary to meet PCI standards.
In most cases, business owners will need to consider VPS, Cloud, or dedicated server hosting plans in order to achieve full and independent PCI compliance as outlined by the PCI-SSC.
PCI Compliant Hosting Frequently Asked Questions
What Is PCI?
PCI-DSS is an acronym for Payment Card Industry Data Security Standard, which is a set of security standards designed to ensure that all merchants that accept, process, or transmit credit card information maintain a secure data environment.
How Does PCI Compliance impact my business?
All businesses that accept credit or debit cards as payment are required to be compliant with the PCI security standards. Smaller online retailers can achieve PCI compliance by utilizing PCI compliant shopping cart applications or payment gateways. Larger operations, typically processing in excess of 20,000 credit card transactions per year, must meet specific compliance validation guidelines regarding their web servers and website design and payment processing applications.
How do I know if my business is PCI compliant?
If your business stores, transmits, or otherwise processes credit card data you must be PCI compliant. Business owners are required to complete an annual self assessment demonstrating that their operation meets the PCI security standards. Larger enterprises must also undergo a quarterly automated scan of their websites and servers to verify compliance. These scans must be performed by an authorized scanning vendor.
Does an SSL Certificate make my business PCI compliant?
No. SSL certificates do provide a basic level of customer security and assurance, but they do not secure a web server from potential malicious attacks.
What if my website is not PCI compliant?
Businesses that fail to achieve compliance may be subject to punitive actions from credit card issuing companies. These actions can range from warnings and fines to the revocation of the business’ ability to process credit or debit card transactions.
What if I refuse to comply with PCI standards?
PCI-DSS is not a law, merely a set of industry standards created by the major credit card brands. However, merchants that fail to comply with PCI-DSS may be subject to fines, increased processing fees, card replacement costs, forensic audits, and brand damage in the event of a breach or data compromise.