What Is PCI Compliance?
PCI compliance refers to following a set of security standards called the Payment Card Industry Data Security Standard (PCI DSS). These standards were created to protect credit and debit card data during storage, processing, and transmission. Any business that accepts, stores, or handles card payments must follow these rules.
PCI DSS is managed by the PCI Security Standards Council, which was formed by major card brands like Visa, Mastercard, American Express, Discover, and JCB. Although the Council sets the requirements, enforcement is carried out by the card companies and banks involved in payment processing.
What PCI Compliance Means for Hosting Resellers
For web hosting resellers, PCI compliance is about meeting a technical checklist and more importantly, about protecting your clients and their customers from fraud, data theft, and financial loss.
A breach involving cardholder data can lead to fines, account suspension, or being barred from processing payments. The loss of customer trust may take years to repair. PCI compliance helps reduce these risks and shows that your business takes security seriously.
It keeps your service competitive. Many ecommerce clients will only work with resellers that offer PCI DSS-compliant infrastructure.
Key PCI DSS Requirements Hosting Resellers Must Address
Hosting Infrastructure
The foundation of PCI compliance is a secure and stable hosting environment. Your servers, networks, and connected systems must be set up to prevent unauthorised access.
This includes proper firewall configurations, removing unused services, and updating systems regularly. Hosting environments must be physically secured, with restricted access to data centres or hardware.
Security Measures
PCI DSS requires several active security layers to defend against attacks. These include:
Firewalls to filter incoming and outgoing traffic
Antivirus software that updates automatically
Intrusion detection systems to flag suspicious activity
Regular security patches for operating systems, web servers, and control panels
Running automated vulnerability scans on your infrastructure is recommended, especially after major updates or configuration changes.
Data Encryption
Cardholder data must be encrypted both during transfer and while stored. This protects information from being intercepted or read if systems are compromised.
Use SSL or TLS certificates to secure data sent over the internet. When storing data, use strong encryption standards approved by the PCI Security Standards Council. Avoid storing full card numbers or security codes unless you have a strong reason and the right protections in place.
Access Control
Only authorised personnel should have access to systems that handle cardholder data. Access should be limited based on job roles.
Use individual user accounts, not shared logins. Require strong passwords and consider adding two-factor authentication where available. Always disable accounts that are no longer in use, and regularly review access logs.
Logging and Monitoring
All access to cardholder data and related systems should be logged and monitored. This helps identify unauthorised access or abnormal activity.
Logs must include details such as user ID, date and time, and the type of access. Store logs securely and keep them for at least one year. Make sure someone is responsible for reviewing these logs regularly.
Documentation and Policies
Create clear security policies that explain how data is protected, who is responsible for what, and how to handle incidents. This documentation should be reviewed regularly and updated as needed.
Your staff or team should be trained to follow these policies. Make sure everyone understands their role in protecting customer data.
Choosing a PCI-Compliant Payment Processor
Handling payments directly increases your PCI compliance scope. This can be reduced by using a third-party payment processor that is already PCI DSS compliant.
By redirecting payment processing to a trusted provider, you avoid handling sensitive card data directly. This limits your responsibility for compliance and lowers the risk of data exposure.
When selecting a payment processor, check that they are listed as PCI DSS compliant and that they meet the requirements for your type of transactions.
Compliance in Shared vs. Cloud Hosting Environments
Shared Hosting Compliance Challenges
In shared hosting, multiple clients use the same server. This setup can make PCI compliance harder since a security issue with one site can affect others on the same server.
To meet PCI DSS in shared hosting, strong separation between accounts is needed. File permissions, database access, and server configurations must all prevent one user from accessing another’s data.
Resellers must confirm that their shared hosting software, such as control panels and web server settings, supports these isolation practices.
Cloud Hosting Considerations
Cloud hosting can meet PCI DSS requirements, but responsibility is shared between the reseller and the cloud provider.
If you’re offering managed cloud hosting, you’re responsible for securing the environment, including operating systems, firewalls, and updates. In an unmanaged setup, your clients take on more responsibility.
Choose cloud providers that have proven PCI DSS compliance and provide tools to support security best practices, such as virtual private clouds, encryption options, and access controls.
PCI DSS Compliance Levels Explained
PCI DSS has four levels, based on how many transactions an organisation processes each year:
Level 1: Over 6 million transactions per year
Level 2: 1 million to 6 million
Level 3: 20,000 to 1 million (ecommerce only)
Level 4: Fewer than 20,000 (ecommerce) or up to 1 million (non-ecommerce)
Most resellers fall into Level 4 or Level 3, depending on whether they process payments directly or through a third-party. Level 1 businesses must undergo a full audit by a Qualified Security Assessor. Lower levels usually require a Self-Assessment Questionnaire and possibly a quarterly scan by an Approved Scanning Vendor.
Knowing which level applies to you helps determine the reporting and validation steps needed to stay compliant.
Real-World Example: Applying PCI DSS as a Web Hosting Reseller
Imagine a reseller who provides hosting for small ecommerce shops. Each client uses a shopping cart that accepts credit card payments. The reseller keeps their infrastructure secure, with updated servers, strict access control, and regular vulnerability scans.
To reduce PCI DSS responsibilities, the reseller recommends clients use a payment gateway that handles card payments outside the hosting environment. This limits the risk of storing or transmitting card data.
The reseller keeps documentation of their security practices and has monitoring tools in place to detect unauthorised access. If any issues arise, there’s a clear response plan to follow.
By combining strong infrastructure security with third-party processing, the reseller meets compliance and provides reassurance to clients.
Preparing for a PCI DSS Audit
Some resellers, particularly those handling high volumes of transactions, may need to undergo a formal PCI DSS audit. This process involves a Qualified Security Assessor reviewing your systems, documentation, and security procedures.
Even if not required, it is good practice to be prepared:
Keep records of your security policies and system changes
Store access logs and scan results for at least 12 months
Review all Self-Assessment Questionnaire responses carefully
Make sure your vendors and partners are also PCI compliant, if relevant
An organised approach to compliance prepares you for audits and allows fast response if a breach occurs.
Further Resources
- PCI Security Standards Council – Official Site
https://www.pcisecuritystandards.org/pci_security/ - PCI DSS Documentation Library
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss - SANS Institute: PCI Compliance Guide
https://www.sans.org/white-papers/36693/ - Guide to PCI DSS Self-Assessment Questionnaires (SAQs)
https://www.controlscan.com/education/pci-dss-self-assessment-questionnaire-saq/ - Qualys – PCI Scanning Vendor
https://www.qualys.com/
Frequently Asked Questions (FAQ) about PCI Compliance for Web Hosting Resellers
What is the purpose of PCI DSS?
PCI DSS is designed to protect sensitive cardholder data during processing, storage, and transmission. It sets baseline requirements for organisations handling credit or debit card payments.
Who must comply with PCI DSS?
Any business that stores, processes, or transmits credit card data is required to follow PCI DSS. This includes web hosting resellers who may handle such data directly or indirectly.
Is PCI DSS compliance legally required?
Although not a law, PCI DSS compliance is contractually required by the major credit card brands and enforced by payment processors and banks.
What are the penalties for non-compliance?
Penalties can include fines, increased transaction fees, suspension of card processing privileges, and reputational damage.
Do hosting resellers need to be PCI-compliant if clients use third-party payment processors?
If clients manage all cardholder data via third-party processors, the reseller’s PCI scope is reduced but not eliminated. Resellers must still ensure their environment supports secure hosting practices.
What is the difference between shared and cloud hosting in PCI compliance?
Shared hosting poses more risks due to multiple users sharing infrastructure. Cloud hosting can offer more flexibility and security features, but responsibilities are split between provider and reseller.
What is a Qualified Security Assessor (QSA)?
A QSA is a professional certified by the PCI Security Standards Council to perform formal PCI DSS audits and assessments for Level 1 merchants and service providers.
How often should PCI DSS compliance be reviewed?
Compliance should be evaluated at least annually and whenever significant infrastructure or policy changes occur. Regular vulnerability scans and log reviews help maintain ongoing compliance.