What is PCI Hosting?
Payment Card Industry (PCI) hosting is a type of web hosting service using datacenter infrastructure provided by web hosting companies and managed service providers (MSPs) which is PCI-ready. In this case, PCI-ready means
the MSP follows the rules and guidelines laid out by payment card providers to enforce the data security standards (PCI DSS) expected to secure clients’ payment card data.
These rules were designed to defend against the theft of debit and credit card information and merchant information, as well as prevent fraudulent transactions and credit
card cloning in the retail sector. PCI data standards are recognised worldwide and thus, internationally, organizations that handle bankcard transactions online must use PCI compliant hosting providers who meet the strict requirements of
the payment card industry (or maintain PCI compliance on their own, if hosting internally).
PCI compliant hosting enables clients or merchants to apply for PCI Data Security Standard (PCI DSS) compliance, which is essential for any business that accepts any type of
payment card such as American Express, Visa, JCB, or MasterCard. PCI compliance was introduced in 2004 to provide a unified framework for improving
security and reducing the threat of data breaches for all card providers. PCI-ready hosting providers can adhere to the security controls defined by the Security Standards
Council (SSC); these standards create a set of rules which must be complied with in order to gain the PCI compliance certification, and these
rules apply to everyone who wishes to take card payments.
There are 12 standards which make up the PCI Data Security Standard (PCI DSS) defined by the Security Standards Council, and PCI ready hosting providers must meet these
standards for the client to be able to apply and pass PCI DSS compliance certification. These standards primarily focus on the securing of
an infrastructure provider’s physical network, employees and secure business processes.
All data networks (physical and wireless) must be secured with firewalls, which are regularly maintained with software updates and have a valid access control management
process. The firewalls are managed by a specialist network team, who manage and restrict traffic from untrusted networks. All vendor-supplied hardware default passwords are
changed and then hardened with complex secure passwords and strong cryptography (SSL/TLS Certificates).
The Managed Service Providers and Web Hosting Companies must do everything possible to protect cardholder data, working with clients to ensure that only the data that is needed is digitally stored, and that any data that
is retained is masked and protected. PCI compliant hosting providers will secure server hardware both physically and within the Operating System by ensuring the server
infrastructure is protected from vulnerabilities. This includes regular patch management and anti-virus definition updates.
Strong access control measures are implemented to restrict unnecessary physical access to data center operations. PCI compliant hosting providers also restrict logon access
to the server environment. This can be achieved via two-factor authentication and will add greater protection to the servers that host the payment card information.
Limiting access to those on a need-to-know basis enables a web hosting provider greater auditing control. This is further enhanced by ensuring all users have unique IDs
which are protected with complex, regularly changed passwords.
PCI requirements only apply to the cardholder data environment (CDE); they do not apply to a client’s entire infrastructure. Usually the CDE is an isolated network segment,
but this does mean that any data transmitted externally is encrypted. The
MSPs and Web Hosting Companies are responsible for documenting, updating and consistently monitoring and testing PCI ready processes to ensure the best practices
requirements are followed and adhered to. The web hosting provider does this by implementing a PCI Hosting security policy and conducting regular vulnerability testing.