What Is PCI-Compliant Hosting?

PCI DSS stands for Payment Card Industry Data Security Standard — the criteria your e-commerce site must meet to protect cardholder data. If you’re selling online, PCI compliance is non-negotiable. But not all web hosting companies can do the job.

Hosting providers tell you which plans are PCI compliant, so you can ignore those that aren’t. You may need to select a larger hosting company and a higher-tier plan.

Key takeaways:

• What site owners need to know about PCI compliance
• How PCI compliance is achieved
• Who is responsible for achieving compliance

What Are Industry Payment Security Standards?

PCI DSS is a set of security standards designed and enforced by the Payment Card Industry Security Standards Council (PCI SSC). Forged through a coalition of major credit and debit card issuing companies, including Visa, Mastercard, and American Express, these standards have been implemented to reduce credit card fraud. They also ensure online merchants’ secure processing, storage, and transmission of cardholder data.

What Is PCI Compliance?

The PCI standards apply to all e-commerce businesses, regardless of size or sales volume. Failure to comply with PCI standards can result in fines, increased card processing fees, or suspension of credit card processing privileges.

Who’s responsible for PCI compliance?

Merchants, web developers, and web-hosting service providers share responsibility for achieving and maintaining PCI compliance. Each has a critical role, though ultimately, it falls to the merchant to ensure its website and web-hosting provider meet the approved industry standards.

Businesses must undergo a rigorous vetting process to achieve PCI compliance. This process consists of two options. One is a quarterly automated scan of their website and hosted servers by an authorized scanning vendor. The other is an annual self-assessment questionnaire prepared by the PCI SSC.

Who should use the PCI compliance questionnaire?

The questionnaire is more appropriate for small businesses that don’t have the resources to hire outside assessors to evaluate a firm’s compliance with the PCI standards. Ideally, businesses can spot and resolve security issues before a breach happens by working through the questionnaire.

What are the requirements for achieving PCI compliance?

According to the PCI SSC, 12 requirements must be met to achieve PCI compliance. These can be broken down into six basic categories or security goals.

Who is responsible for maintaining compliance?

Some requirements are the responsibility of web-hosting providers, while others are the responsibility of merchants and their web developers and site designers. But in the final analysis, it always falls to the merchant to ensure its hosting service, website developer, and third-party software vendors are PCI compliant.

Compliance Security Goals

The goals and requirements necessary to achieve PCI compliance include the following categories, which we’ll explain below.

Building and maintaining a secure network

This is largely the web hosting provider’s responsibility.

Security goals:

• Installation and maintenance of a firewall to create a secure private network
• Creating, maintaining, and updating system passwords that meet or exceed industry standards

Protecting cardholder data

This is a shared responsibility, though the web-hosting provider should be at the forefront of the secured storage and transmission of all sensitive data.

Security goals:

• Web-hosting providers must utilize a secure data protection model that combines multiple layers of physical and virtual defense procedures. These include restricting access to servers and data centers as well as enforced authentication of passwords and authorization protocols
• Cardholder data, including validation codes and PINs, must be encrypted when transmitted over an open or public network

Maintaining a vulnerability management program

The responsibility applies primarily to web-hosting service providers. However, attention to security vulnerabilities should also command the attention of merchants and their web development team.

Security goals:

• Anti-virus software must be regularly updated, either by the merchant’s IT team if its servers are self-managed or by the hosting provider if data is housed or processed on outsourced or managed servers
• Web-hosting service providers are expected to routinely monitor and update their systems to combat newly identified security vulnerabilities

Implementing strong access control measures

Responsible party:

This one aspect of PCI compliance is largely the responsibility of the business owner and its web development team as it addresses data security on a more localized level.

Security goals:

• Restrict access to cardholder data to authorized personnel only
• Assign unique IDs to staff members with access to sensitive data using best practices for password encryption, authentication, and login limits
• Restrict physical access to cardholder data — this primarily applies to web-hosting providers, which should limit on-site access to their data centers to authorized personnel only

Regularly monitor and test networks

This is shared responsibility between web-hosting providers and the merchant’s web development team.

Security goals:

• Access to network resources and cardholder data should be regularly monitored for possible security breaches or vulnerabilities. Logging systems should track user activity and access to stored archives
• Web-hosting service providers should routinely test and monitor security systems and processes to ensure the continued safety of sensitive data

Maintaining an information security policy

Both web hosting services and web developers need well-defined security policies that outline:

• Operational security procedures
• Acceptable uses of technology
• Basic administrative tasks and safeguards
• Detailed risk analysis data

Server Security

Since your e-commerce site handles transactions, hosting companies are interested in keeping personal and financial information secure. Would you want to do business with a hosting company that has repeatedly suffered security breaches?

HTTP and SSL encryption

One of the major issues surrounding processing credit card payments is keeping the connection between a user and a merchant encrypted through HTTPS and SSL encryption. With HTTPS, an attacker can’t see the credit card number or the security number on the card.

SSL certificates

Many providers offer SSL certificates as part of their hosting plans. These certificates prove the people behind the website are who they say they are. You can see them when you click on the padlock on an HTTPS site in the URL bar. Most hosting providers offer shared SSL certificates, which are acceptable in many cases. For many ecommerce merchants, however, upgrading to a private SSL certificate may be necessary.

End-to-End Payment Protection

Having an SSL certificate is insufficient to achieve PCI compliance. The entire chain of payment processing, going from card handling to the physical servers themselves, has to be PCI DSS compliant.

Physical access protections

Security also means physical security. A random person shouldn’t be able to walk into a data center and start messing with one of the server racks. Larger hosts have secure data centers, where the server racks are kept under lock and key. Many have strict rules enforced by measures like key cards on who can be in a data center.

Other Security Considerations

Depending on your business, you must keep up with other security and privacy standards and laws. For example, if you’re in the U.S. dealing with health data in any way, you’re subject to HIPAA (Health Insurance Portability and Accountability Act).

You have to ensure this data won’t fall into the wrong hands by employees disclosing it or having data left on a laptop somewhere where it can be stolen. Don’t rely on a web host to know which security requirements are important for your industry.

Employee training

The human element is still the weakest link in security. While implementing PCI DSS, it is essential to limit all access to sensitive data only to those who require it. In addition, it is best to train your employees to be vigilant about security and not rely on software and web hosting to keep your data integrity safe.

How Do You Choose a PCI-Compliant Hosting Service?

Choosing a PCI-compliant web-hosting service can often be challenging. While some web-hosting providers advertise PCI compliance as a marketable feature, many are less forthcoming. Follow these steps for the smoothest process.

When in doubt, ask web hosts about PCI compliance

Contact potential hosting firms directly to verify if PCI-compliant hosting plans are available and if they meet your business’s operational and budgetary demands.

Use a payment gateway, if necessary

Smaller business operations, particularly those relying on budget-priced shared hosting plans, may need to partner with a third-party payment gateway service (such as PayPal) to ensure PCI compliance.

Since most shared hosting plans do not deliver the heightened security features necessary to meet PCI standards, you might want to take advantage of e-commerce features their hosts offer.

Bigger hosts are a good choice for PCI compliance

The choice of hosting provider also affects PCI compliance. Larger providers will have more resources to ensure compliance and are more likely to offer SSL certificates and keep up with software updates. They either perform the self-assessment questionnaires themselves or can afford the quarterly assessment.

Look for e-commerce features and site builders

Some hosts offer payment processing and e-commerce features, often through site builders. For small businesses especially, these can provide attractive alternatives to managing their PCI-compliant payment processing systems.

Consider higher-tier hosting plans

In most cases, business owners must consider VPS, Cloud, or dedicated server hosting plans to achieve full and independent PCI compliance as outlined by the PCI SSC.