The Payment Card Industry Data Security Standard (PCI DSS) outlines the minimum security standards for merchants, hosting providers, and other organizations that store, process, or transmit credit card data. The standards are written and managed by the Payment Card Industry Security Standards Council, which comprises the major credit card providers, including Mastercard, Visa, and American Express.
If your business takes credit card payments, its infrastructure and software must comply with the PCI DSS. Compliance is mandatory, even if your organization uses a third-party payment processor. Organizations that take credit card payments without complying can be banned from accepting payments or issued monthly fines until they comply.
PCI Compliance Requirements
The standards fall into six categories which express the security goals the merchant is supposed to comply with. In total, there are 12 requirements.
- Build and maintain a secure network.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors.
As you can see, the standards mandate high-level requirements. They tell you what the security goals are, but not how to achieve them. The implementation of specific data-security protections is the responsibility of the organization that takes credit card payments and the third-party service providers they use.
But it is not enough to implement the standards. Organizations must be able to demonstrate that they are compliant. There are several ways to demonstrate compliance. The right one for your organization depends on the number of credit card transactions it processes in a year. The number of transactions determines the “level” of the organization.
Level 1, 2, and 3 merchants – those that process fewer than 6 million credit card transactions each year – can use a Self-Assessment Questionnaire (SAQ). The SAQ is a series of questions that service providers and merchants can answer for themselves. The SAQ also includes an Attestation of Compliance that eligible organizations can use to demonstrate they have carried out a self-assessment.
Organizations that process over 6 million card transactions a year – Level 1 Merchants – must complete a Report on Compliance through a third-party qualified security assessor (QSA).
All organizations must also complete an internal and external network scan at least quarterly. Organizations can carry out their own internal scans, but external scans should be carried out by an Approved Scanning Vendor.
How Does PCI-Compliant Hosting Work?
Many businesses that need to comply with PCI DSS don’t have the expertise to achieve compliance on their own. It can also be costly to build compliant systems from scratch.
Third-party PCI-compliant server hosting providers such as ServerMania have the expertise and infrastructure to help businesses achieve compliance more easily and cost-effectively.
In practical terms, that means we take care of the physical security of our data centers and networks, network security, and many aspects of server security.. All of our operations, including data centers and networks, are designed to comply with PCI DSS.
Although PCI-compliant server hosting is primarily used by ecommerce business, it is also a useful service for other businesses. Any organization that stores, processes, or transmits credit card numbers and associated data benefits from an established hosting platform with built-in compliance, including SaaS platforms and other hosting businesses that specialize in offering PCI-compliant ecommerce services built on our servers.
The Division of Responsibilities in PCI-Compliant Hosting
It’s important to understand that PCI DSS compliance is a shared responsibility. A PCI-Compliant hosting provider can help your business to comply quickly and at a much lower cost, but it cannot guarantee compliance.
Many of the standards are the responsibility of individual merchants, not the PCI-compliant hosting provider, including maintaining an information security policy and assigning unique IDs to users,.
How to choose a PCI-Compliant Hosting Partner
It can be difficult for businesses to find PCI-compliant hosting. Server hosting companies are often reluctant to guarantee that their service is PCI DSS compliant. And, even if a hosting provider does advertise as PCI compliant, there is no way for the merchant to verify that.
Merchants are responsible for ensuring that credit card details are processed securely and in compliance with the standards. In addition to complying themselves, they must also ensure that any third-party services they use also comply. After all, it’s the merchant that will be fined for non-compliance and security leaks, not the third-party host.
Merchants should look for server hosting providers – as opposed to shared hosting providers – who has experience managing servers securely. Once you have identified a potential host, talk to their sales advisors with the following questions in mind.
- What does the hosting provider do to maintain compliance? A knowledgeable hosting provider will be happy to walk you through their physical, network, and data security configuration.
- What is the division of responsibility between the hosting provider and the merchant? Hosting providers may offer managed services and additional security features that help merchants to comply more easily.
- Can the host provide third-party certification of PCI DSS compliance?
When you are satisfied that the hosting provider can help your business to comply, be sure to look at the other features of their hosting service. Pay particular attention to server and network performance, managed services, and support quality. Support is particularly important.
If your business ever fails a Quarterly Network Scan, you want to be confident that your hosting provider will respond to issues in good time.
Merchants are responsible for ensuring that they process credit card data in compliance with PCI DSS. PCI-compliant hosting is a low-cost and low-complexity alternative to building secure infrastructure in-house. With PCI-compliant hosting, your ecommerce store, SaaS app, or mobile app back-end will be up, running, and compliant more quickly and, with the help of an expert hosting provider, more reliably than if you go it alone.
To learn more about PCI-compliant hosting from Server Mania, book a free consultation with us today.