The Best PCI Compliant Hosting: Who's The Best For Your Site? [Updated: 2018]

⚙ Filter Results

PCI Compliance Hosting

compare pci compliant hosting

What You'll Learn

Before committing to hosting based on PCI Compliance, you should know the answers to the below:

  • What do you, as a site owner, need to know about PCI compliance?
  • How is it achieved?
  • And who is responsible for achieving it?

You'll learn what PCI compliance is, what businesses are responsible for and how to find a trustworthy PCI-compliant web host.

You'll also receive my recommendations for PCI-compliant hosts.

Industry Payment Security Standards

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed and enforced by the Payment Card Industry Security Standards Council (PCI-SSC).

Forged through a coalition of the major credit and debit card issuing companies, including Visa, Mastercard, and American Express, these standards have been put in place to reduce credit card fraud and to ensure the secure processing, storage, and transmission of cardholder data by online merchants.

what is pci compliance

What Is PCI Compliance?

The PCI standards apply to all e-commerce businesses, regardless of size or sales volume.

Failure to remain compliant with PCI standards can result in fines, increased card processing fees, or suspension of credit card processing privileges.

pci-council-homepage
PCI Security Standards Council's homepage, via WhoIsHostingThis.com

Find The Best PCI Compliant Hosting For You

Showing top 10 results Show All
SiteGround screenshot
SiteGround GoGeek plan
  • Support 5 stars
  • Features 5 stars
  • Uptime 5 stars
  • Value 4.5 stars
5 stars
1991 user reviews
Usual price:
Get % off!
$14.95/mo
(Billed as $14.95 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
InMotion+Hosting screenshot
InMotion Hosting VPS-2000 plan
150GB 5TB
  • Support 4 stars
  • Features 4 stars
  • Uptime 4 stars
  • Value 4 stars
4 stars
551 user reviews
Usual price:
Get % off!
$49.99/mo
(Billed as $49.99 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
WP+Engine screenshot
WP Engine Startup plan
10GB 50GB
  • Support 4 stars
  • Features 4 stars
  • Uptime 4.5 stars
  • Value 3.5 stars
4 stars
42 user reviews
Usual price:
Get % off!
$35.00/mo
(Billed as $35.00 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
HostPapa screenshot
HostPapa Plus plan
50GB 1TB
  • Support 4 stars
  • Features 4 stars
  • Uptime 4 stars
  • Value 4 stars
4 stars
385 user reviews
Usual price:
Get % off!
$49.99/mo
(Billed as $49.99 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
GreenGeeks screenshot
GreenGeeks EcoSite Starter plan
  • Support 4.5 stars
  • Features 4.5 stars
  • Uptime 4.5 stars
  • Value 4.5 stars
4.5 stars
350 user reviews
Usual price:
Get % off!
$3.95/mo
(Billed as $3.95 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
GoDaddy.com screenshot
GoDaddy.com Online Store Website Builder plan
  • Support 2.5 stars
  • Features 3 stars
  • Uptime 3 stars
  • Value 3 stars
3 stars
585 user reviews
Usual price:
Get % off!
$29.99/mo
(Billed as $29.99 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
LiquidWeb screenshot
LiquidWeb 2 GB VPS plan
40GB 10TB
  • Support 4.5 stars
  • Features 4.5 stars
  • Uptime 4.5 stars
  • Value 4.5 stars
4.5 stars
62 user reviews
Usual price:
Get % off!
$59.00/mo
(Billed as $59.00 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
Cloudways screenshot
Cloudways DO1GB plan
25GB 1TB
  • Support 4.5 stars
  • Features 4.5 stars
  • Uptime 5 stars
  • Value 4.5 stars
4.5 stars
83 user reviews
Usual price:
Get % off!
$10.00/mo
(Billed as $10.00 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
Shopify screenshot
Shopify Basic Shopify plan
  • Support 5 stars
  • Features 5 stars
  • Uptime 5 stars
  • Value 5 stars
5 stars
1 user reviews
Usual price:
Get % off!
$29.00/mo
(Billed as $29.00 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host
BigCommerce screenshot
BigCommerce Standard plan
  • Support 3 stars
  • Features 4 stars
  • Uptime 5 stars
  • Value 3 stars
4 stars
1 user reviews
Usual price:
Get % off!
$29.95/mo
(Billed as $29.95 Per Month) Prices in are approximate, based on current exchange rates. The host will likely charge you in USD, or at a different exchange rate.
Visit Host

Who's Responsible for PCI Compliance?

Responsibility for achieving and maintaining PCI compliance is shared equally by merchants, web developers, and web-hosting service providers.

Each has a critical role to play in PCI compliance, though ultimately it falls to the merchant to ensure that their website and web-hosting provider meets the approved industry standards.

how to be pci compliant

How do Businesses Achieve PCI Compliance?

In order to achieve PCI compliance businesses must undergo a rigorous vetting process.

The process consists of:

  1. Either a quarterly automated scan of their website and hosted servers by an authorized scanning vendor
  2. Or, alternatively, there's also an annual self-assessment questionnaire as prepared by the PCI Security Standards Council.

Who Should Use the PCI Compliance Questionnaire?

The self-assessment questionnaire is more appropriate for small businesses who don't have the resources to hire outside assessors to evaluate a firm's compliance with the PCI standards.

Ideally, businesses can spot and resolve security issues before a breach happens by working through the questionnaire.

cyberattacks small business
The PCI Security Standards Council offers a number of actionable guides on its website. The guides offer action steps and hyperlinks for more information.

What are the Requirements for Achieving PCI Compliance?

According to the PCI Security Standards Council, there are 12 requirements (PDF) that must be met in order to achieve PCI compliance.

These can be broken down into six basic categories or security goals (see table below).

Who Is Responsible for Maintaining Compliance?

Some of these requirements are the responsibility of web-hosting providers, while others are the responsibility of merchants and their web developers and site designers.

However, in the final analysis, it always falls to the merchant to ensure that their hosting service, website developer, and third-party software vendors are PCI compliant.

Compliance Security Goals

The goals and requirements necessary to achieve PCI compliance include the following categories, which I've explained below.

Category Responsible Party Security Goals
Building and Maintaining a Secure Network Largely the responsibility of the web-hosting provider. This category addresses two key security issues:

  • Installation and maintenance of a firewall in order to create a secure private network.
  • Creating, maintaining, and updating system passwords that meet or exceed industry standards.
Protecting Cardholder Data This is a shared responsibility, though the web-hosting provider should be at the forefront of the secured storage and transmission of all sensitive data. The protection of cardholder data addresses the following points:

  • Web-hosting providers must utilize a secure data protection model that combines multiple layers of physical and virtual defense procedures that include restricting access to servers and data centers as well as enforced authentication of passwords and authorization protocols
  • Cardholder data, including validation codes and PIN numbers, must be encrypted when transmitted over an open or public network.
Maintaining a Vulnerability Management Program Applies primarily to web-hosting service providers, though attention to security vulnerabilities should also command the attention of merchants and their web development team. The PCI-SSC outlines two basic requirements necessary to meet this security goal:

  • Anti-virus software must be regularly updated, either by the merchant's IT team if their servers are self-managed or by the hosting provider if data is being housed or processed on outsourced or managed servers
  • Web-hosting service providers are expected to routinely monitor and update their systems to combat newly identified security vulnerabilities.
Implementing Strong Access Control Measures This is one aspect of PCI compliance that is largely the responsibility of the business owner and their web development team as it addresses data security on a more localized level. The goals in this category include:

  • Restrict access to cardholder data to authorized personnel only;
  • Assign unique IDs to staff members with access to sensitive data using best practices for password encryption, authentication, and login limits;
  • Restrict physical access to cardholder data. This primarily applies to web-hosting providers, which should limit on-site access to their data centers to authorized personnel only.
Regularly Monitor and Test Networks A shared responsibility between web-hosting providers and the merchant's web development team. Routine monitoring and testing are necessary to verify and maintain network security.

  • Access to network resources and cardholder data should be regularly monitored for possible security breaches or vulnerabilities. Logging systems should be put in place to track user activity and access to stored archives
  • Web-hosting service providers should routinely test and monitor security systems and processes to ensure the continued safety of sensitive data.
Maintaining an Information Security Policy This applies to both web-hosting services and web developers. They should have well-defined security policies in place that outline operational security procedures, acceptable uses of technology, basic administrative tasks and safeguards, and detailed risk analysis data.

Server Security

So what does PCI compliance have to do with the web host?

Since your e-commerce site is going to handle transactions, hosting companies have an interest in keeping personal and financial information secure. Would you want to do business with a hosting company that had repeatedly suffered security breaches?

HTTP and SSL Encryption

One of the major issues surrounding processing credit card payments is keeping the connection between a user and a merchant encrypted. Over the web, this is done through the use of HTTPS and SSL encryption.

With HTTPS, an attacker can't see the credit card number or the security number on the card.

SSL Certificates

Many providers offer SSL certificates as part of their hosting plans. These certificates prove that the people behind the website are exactly who they say they are. You can see them when you click on the green padlock on an HTTPS site in the URL bar.

End-To-End Payment Protection

Having an SSL certificate is not enough to achieve PCI compliance. The entire chain of payment processing, going from card handling to the physical servers themselves, has to be PCI-DSS compliant.

Physical Access Protections

Security also means physical security. A random person shouldn't be able to walk into a data center and start messing with one of the server racks.

Larger hosts have secure datacenters, where the server racks are kept under lock and key. Many of them have strict rules enforced by measures like key cards on who can be in a data center at all.

Other Security Considerations

Besides PCI-DSS, depending on the business you're in, you have to keep up with other security and privacy standards and laws.

For example, if you're in the US and you deal with health data in any way, you're subject to HIPAA (Health Insurance Portability and Accountability Act). You have to make sure that this data won't fall into the wrong hands by employees disclosing it or having data left on a laptop somewhere where's it's stolen.

ALERT: Don't rely on a web host to know which security requirements are important for the industry that you serve.

Employee Training

The moral of the story is that for all the standards, laws, technology, and encryption, the human element is still the weakest link in security.

While implementing PCI-DSS, you should train your employees that they have to be vigilant about security and can't just rely on the software and web hosting to keep your data integrity safe.

choosing pci compliant host

How to Choose a PCI-Compliant Hosting Service

Choosing a PCI compliant web-hosting service can often be a challenging proposition. While some web-hosting providers clearly advertise PCI compliance as a marketable feature, many web-hosting providers are less forthcoming.

Here are the steps involved in searching for a web host that offers PCI compliance:

  1. If a host's plans don't specify compliance, ask.
  2. If your budget requires a cheap shared hosting plan, see if the host offers payment gateways.
  3. Consider a large hosting company.
  4. Consider site builders with e-commerce options.
  5. Consider paying a bit more for hosting.

Let's go into a bit more detail on each of these steps.

When in Doubt, Ask Web Hosts About PCI Compliance

It is often necessary for merchants to contact potential hosting firms directly in order verify if PCI compliant hosting plans are available and if they meet their business' operational and budgetary demands.

Use a Payment Gateway, If Necessary

Smaller business operations, particularly those relying on budget-priced shared hosting plans, may find it necessary to partner with a third-party payment gateway service (such as PayPal) in order to ensure PCI compliance.

Since most shared hosting plans do not deliver the heightened security features necessary to meet PCI standards, you might want to take advantage of e-commerce features that their hosts offer.

pci-paypal
PayPal's PCI information page, via WhoIsHostingThis.com

Bigger Hosts Are A Good Choice for PCI Compliance

The choice of hosting provider also affects PCI compliance. Larger providers will have more resources to ensure Payment Card Industry Data Security Standard (PCI-DSS) compliance.

Larger hosting providers are more likely to:

  1. Offer SSL certificates,
  2. Keep up with software updates, and
  3. Either perform the self-assessment questionnaires themselves or
  4. Can afford the quarterly assessment.

Look for E-Commerce Features and Site Builders

Some of these hosts offer payment processing and e-commerce features, often through site builders.

These can provide attractive alternatives for businesses to rolling their own PCI-compliant payment processing systems.

pci-shopify
Shopify's PCI information page, via WhoIsHostingThis.com

Consider Higher-Tier Hosting Plans

In most cases, business owners will need to consider VPS, Cloud, or dedicated server hosting plans in order to achieve full and independent PCI compliance as outlined by the Payment Card Industry Security Standards Council (PCI-SSC).

"As we do more and more of our business online, and as criminals realize the value of the data that organizations are protecting, we're seeing more big-name breaches, more high-profile breaches," -Mark Nunnikhoven, VP Cloud Research, Trend Micro, in an interview with CNN.

PCI Compliant Hosting Frequently Asked Questions

  • What Is PCI?

    PCI-DSS is an acronym for Payment Card Industry Data Security Standard, which is a set of security standards designed to ensure that all merchants that accept, process, or transmit credit card information maintain a secure data environment.

  • How Does PCI Compliance impact my business?

    All businesses that accept credit or debit cards as payment are required to be compliant with the PCI security standards. Smaller online retailers can achieve PCI compliance by utilizing PCI compliant shopping cart applications or payment gateways. Larger operations, typically processing in excess of 20,000 credit card transactions per year, must meet specific compliance validation guidelines regarding their web servers and website design and payment processing applications.

  • How do I know if my business is PCI compliant?

    If your business stores, transmits, or otherwise processes credit card data you must be PCI compliant. Business owners are required to complete an annual self assessment demonstrating that their operation meets the PCI security standards. Larger enterprises must also undergo a quarterly automated scan of their websites and servers to verify compliance. These scans must be performed by an authorized scanning vendor.

  • Does an SSL Certificate make my business PCI compliant?

    No. SSL certificates do provide a basic level of customer security and assurance, but they do not secure a web server from potential malicious attacks.

  • What if my website is not PCI compliant?

    Businesses that fail to achieve compliance may be subject to punitive actions from credit card issuing companies. These actions can range from warnings and fines to the revocation of the business’ ability to process credit or debit card transactions.

  • What if I refuse to comply with PCI standards?

    PCI-DSS is not a law, merely a set of industry standards created by the major credit card brands. However, merchants that fail to comply with PCI-DSS may be subject to fines, increased processing fees, card replacement costs, forensic audits, and brand damage in the event of a breach or data compromise.

Updating...