How to make sure you’re working with a PCI compliant hosting provider Featured

9:03am EDT March 1, 2011
How to make sure you’re working with a PCI compliant hosting provider

Over the past few years, as online privacy fears and identity theft have become an even greater reality, PCI compliance has grown into an essential priority for online businesses. And now, with the looming financial and PR fears of a data breach on every company’s radar screen, businesses are looking for data partnerships that can ensure them secure payment transactions through PCI compliance.

Smart Business learned more from Dave Feinglass, director of Solutions Engineering at Latisys, about exactly what companies should look for when searching for a PCI compliant hosting provider.

What does it mean for a data center to be PCI compliant?

Actually, that terminology isn’t accurate. It’s what everyone uses. But it’s not accurate. A lot of hosting companies advertise themselves as ‘PCI compliant,’ but the compliance legally rests on the business itself. After all, the business is going to be the one responsible for passing the QSA audit. So, when a data center advertises itself as ‘PCI compliant,’ they likely mean that they can help a business meet all of the PCI DSS (Data Security Standard) requirements.

These 12 requirements include maintaining a secure network with firewall, protecting stored cardholder data, physical security restrictions and much more. All so your data center partner can help you  stay PCI compliant.

How exactly does PCI compliance work within a ‘hosting’ environment?

There are various types of hosting providers, from colocation to managed services to full outsourcing. And any of these types of hosting providers can meet PCI DSS requirements. But, it’s important to dig deeper, past the ‘We’re PCI compliant’ advertisement.

For example, let’s take Requirement No. 1, the firewall requirement. Most any hosting provider can tell you they have a secure firewall to protect cardholder data. But, there’s more to it than that. In order to pass a QSA audit, there needs to be a formal process in place for approving and testing network connections and every change to firewall and router configurations. This implies that a test and development environment, and surrounding processes, are in place.  So, it’s essential for you to make sure that process exists.

How do hosting companies ensure they meet Requirement No. 3 with protecting cardholder data?

In reality, each and every PCI DSS requirement is about protecting cardholder data. Requirement No. 3 specifically relates to how the hosting company goes about protecting ‘stored’ cardholder data. And again, this is where the partnership between the business and hosting provider really comes into play, because stored cardholder data is largely application-driven. While your hosting company can back up and store whatever your client application requires, the  layer of security that the hosting provider must provide, versus what the application itself is managing,  determines who owns responsibility for this aspect of protecting the data.

For example, Requirement 3.2 states: Do not store sensitive authentication data after authorization (even if encrypted).  The service provider may back up any data that a business requests them to, but it’s up to the application itself to not store that data which should not be stored.  This is an example of why it’s so important to walk through each of these steps with your potential hosting provider and understand where each partner’s responsibility lies.

Several of the PCI DSS requirements relate to access control. How should a business evaluate  a hosting provider for compliance with these requirements?

Requirements 8 through 12 all relate to the protection of information, including internal access prevention. These requirements mean assigning a unique ID to every person in your organization with remote computer access, secure physical access restrictions, strict tracking and monitoring of this access, and regular testing of these security systems.  Each hosting provider may handle those requirements differently. Take the time to understand how your hosting provider meets each one of these requirements, and which of these requirements need to have a process that is owned by the application and/or its developers. For example, does the application require the use of passwords that have both alpha and numeric characters, or is this enforced through a policy only? If the application does not enforce this itself, find out how the hosting provider will manage this aspect of the requirement.

What do you suggest a company seeking PCI compliance look for when choosing the right hosting provider?

You need to really do your homework, and make sure the data center can meet all of your specific requirements. Because even if a hosting provider claims to be ‘PCI compliant,’ you’re still the one responsible for the financial realities of noncompliance. So, it’s important to walk through each of the 12 requirements with your potential hosting provider, line by line, and make sure they’re a match for your customer promise. You also need to create a policy with your hosting provider that specifies information security policies for your employees and contractors. It’s a big task. But finding the right provider is worth it.

Dave Feinglass is director of Solutions Engineering at Latisys. Reach him at