PCI Compliant Hosting Guide

When you outsource your data and/or application hosting to a PCI hosting provider to protect your cardholder data, you need to test the following requirements and sub-requirements that directly reference and apply to working with a service provider.

Maintain a list of service providers (12.8.1).

Keep a current list of vendors and update it whenever you sign with a new provider or end a contract. This can help you keep tabs on your service providers’ audit record for verification of ongoing compliance.

Maintain a written agreement with acknowledgement that service providers are responsible for the security of any cardholder data they possess (12.8.2).

Check your contract for certain key components, such as:
- - - - If there’s a data breach on your server, what’s the timeframe and process in which your PCI hosting provider should notify you?
        
        How long should data be retained after your contract expires, and how should it be deleted?
        
        Who has ownership or rights to, and rights to access your data?

Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement (12.8.3).

You can test this sub-requirement by creating an internal procedure document or checklist that can help your company qualify a vendor’s ability to provide a PCI compliant data center and hosting services. Due diligence in the vendor selection process is important to save time and headaches later. Make a note to check your hosting provider’s PCI audit report for the full scope of compliance and to assess what your company still needs to cover for your own compliance.

Maintain a way to monitor service provider’s PCI compliance status at least once a year (12.8.4).

Create a process to automate verification of your hosting providers’ ongoing PCI compliance status by assigning a point of contact to analyze audit reports and keep in touch with their security provider’s security officer to verify dates of compliance.

Avoid penalties from major card-issuers and protect your customer cardholder data with these simple steps of due diligence when it comes to selecting and working with a third-party, PCI compliant hosting provider. Taking advantage of their audit report and attestation of PCI compliance can save you time and money if you first invest in carefully qualifying your provider.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.

Want to stay informed on all things Online Tech?

Join us for a free webinar, The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication with Dug Song of Duo Security and Jason Yaeger of Online Tech.

When: June 4 @ 2 P.M. ET

Related Webinars

PCI Compliant Cloud Hosting

They have been there before. They know what was required and they had the team members to put the project together. It was the whole package that made this an easy decision.

- Dean Scaros, President, Pay-Ease

Onlinetech

Resources