Hosting providers that store, process, or transmit cardholder data must comply with the Payment Card Industry Data Security Standard. Even providers whose customers handle card data may need to meet PCI DSS requirements as a service provider, depending on their level of access to the cardholder data environment.
Key Compliance Requirements
PCI DSS comprises twelve high-level requirements organized into six control objectives. For hosting providers, the most impactful requirements include maintaining a firewall configuration that protects cardholder data, encrypting transmission of cardholder data across open networks, maintaining a vulnerability management program, implementing strong access control measures, and regularly testing security systems.
Network segmentation is critical for limiting the scope of PCI compliance. Isolate the cardholder data environment from general-purpose servers using firewalls and VLANs. The fewer systems in scope, the easier and less expensive compliance becomes. Document your network architecture clearly, identifying all systems that touch cardholder data and the data flows between them.
Implement file integrity monitoring on critical system files and configurations using tools like OSSEC or Tripwire. Maintain centralized logging with at least twelve months of retention. Conduct quarterly internal and external vulnerability scans, and perform annual penetration testing against the cardholder data environment. Engage a Qualified Security Assessor for your annual Report on Compliance if required by your transaction volume tier.