Choosing a PCI Compliant Hosting Service for your Ecommerce Site
Developed by major debit and credit card companies to curb credit card fraud, Payment Card Industry Data Security Standards (PCI-DSS) is a set of security standards enforced by the Payment Card Industry Security Standards Council (PCI-SSC). These standards define measures for ensuring consistent and secure online financial transactions as well as data protection.
PCI applies to any company, organization or merchant that accepts, processes, transmits or stores debit/credit card data. Failure to comply with PCI DSS standards attracts severe fines and penalties.
What are the PCI requirements and whose job is it to meet them?
To achieve PCI compliance, 12 requirements of the Security Standards Council have to be met. These requirements are often broken down into six security goals, and responsibility for meeting them is shared by the merchants and web-hosting providers. As such, as a merchant running an online store, you have to make sure that your hosting service provider and third party software vendors are PCI compliant.
Business has to undergo a rigorous vetting process to become PCI compliant. This process involves a quarterly automated scan of your website and hosted servers by a scanning vendor. It also involves filling an annual self-assessment questionnaire prepared by the PCI SSC.
The six categories of PCI requirements for your e-commerce site and website hosting provider are –
- Maintaining an information security policy – This is a shared responsibility of both the web hosting company and the business owner’s web developer team
- Implementing strong access control measures – This is mostly the responsibility of the business owner.
- Maintaining a vulnerability management program – This is a responsibility primarily for web-hosting service providers.
- Regular monitor and test networks – To verify and maintain network security, routine monitoring and testing are necessary. This is a shared responsibility for both the business owner and web host
- Protecting cardholder data – Although the web-hosting company should be at the forefront of providing secure storage and transmission of cardholder data, merchants should also share in the responsibility.
- Building and maintaining a secure network – This addresses the creation of a secure private network through installation and maintenance of a firewall. It also involves creation and maintenance of system passwords that meet industry standards. It is the responsibility of both merchants and web-hosting providers.
How to choose a PCI compliant hosting service provider
Some web-hosting companies openly advertise their PCI compliance since it is a marketable feature. Most are less forthcoming with this information, which makes choosing a PCI compliant provider a challenging proposition.
You should always contact any potential hosting company to enquire and verify if they offer PCI compliant hosting plans and if they meet your operational and budgetary demands. If you are running a small online business and are considering a shared hosting plan, you should consider collaborating with a third-party payment gateway service. This will drastically reduce your risk exposure and effort to achieve and maintain PCI compliance since most shared hosting plans do not deliver PCI standard security.
How to choose a PCI compliant third-party payment gateway service
These third-party service providers are directly involved in processing, storing and transmission of cardholder data. Your choice of service provider should have completed a level 1, onsite assessment by a qualified security assessor. To check the compliance state of a service provider, you can contact them directly to ask for a formal documentation proving their compliance or access their Visa and MasterCard registry list.
Choosing a PCI compliant hosting service is important, but it is not the only requirement for PCI certification. Your website must also meet the requirements. An independent qualified security assessor does regular scanning to verify that your e-commerce site meets the PCI standards.