Trusted By Over 15,000 Businesses
Payment Card Industry (PCI) hosting is a type of web hosting service using datacenter infrastructure provided by managed service providers (MSPs) which is PCI-ready. In this case, PCI-ready means the MSP follows the rules and guidelines laid out by payment card providers to enforce the data security standards expected to secure clients’ payment card data. These rules were designed to defend against the theft of debit and credit card numbers and merchant information, as well as prevent fraudulent transactions and credit card cloning in the retail sector. PCI data standards are recognised worldwide and thus, internationally, organizations that handle bankcard transactions online must use PCI hosting providers who meet the strict requirements of the payment card industry (or maintain PCI compliance on their own, if hosting internally).
PCI hosting enables clients or merchants to apply for PCI Data Security Standard (DSS) compliance, which is essential for any business that accepts any type of payment card such as American Express, Visa, JCB, or MasterCard. PCI compliance was introduced in 2004 to provide a unified framework for improving security and reducing the threat of data breaches for all card providers. PCI-ready hosting providers can adhere to the security controls defined by the Security Standards Council (SSC); these standards create a set of rules which must be complied with in order to gain the PCI compliance certification, and these rules apply to everyone who wishes to take card payments.
There are 12 standards which make up the PCI Data Security Standard, and PCI ready hosting providers must meet these standards for the client to be able to apply and pass PCI DSS compliance certification. These standards primarily focus on the securing of an infrastructure provider’s physical network, employees and secure business processes.
All data networks (physical and wireless) must be secured with firewalls, which are regularly maintained with software updates and have a valid access control management process. The firewalls are managed by a specialist network team, who manage and restrict traffic from untrusted networks. All vendor-supplied hardware default passwords are changed and then hardened with complex secure passwords and strong cryptography (SSL/TLS Certificates).
The Managed Service Provider must do everything possible to protect cardholder data, working with clients to ensure that only the data that is needed is digitally stored, and that any data that is retained is masked and protected. PCI hosting providers will secure server hardware both physically and within the Operating System by ensuring the server infrastructure is protected from vulnerabilities. This includes regular patch management and anti-virus definition updates.
Strong access control measures are implemented to restrict unnecessary physical access to data center operations. PCI hosting providers also restrict logon access to the server environment. This can be achieved via two-factor authentication and will add greater protection to the servers that host the payment card information. Limiting access to those on a need-to-know basis enables hosting providers greater auditing control. This is further enhanced by ensuring all users have unique IDs which are protected with complex, regularly changed passwords.
PCI requirements only apply to the cardholder data environment (CDE); they do not apply to a client’s entire infrastructure. Usually the CDE is an isolated network segment, but this does mean that any data transmitted externally is encrypted. The MSP is responsible for documenting, updating and consistently monitoring and testing PCI ready processes to ensure the best practices requirements are followed and adhered to. This is done by implementing a PCI Hosting security policy and conducting regular vulnerability testing.
Looking for a Hosting Solution?
We Provide Cloud, Dedicated, & Colocation.
Contact an advisor at 888-618-DATA (3282) or fill out the form below.
© 2019 Atlantic.Net, All Rights Reserved.