Hosting Providers & Merchant Accounts – PCI Compliance Explained
There seems to be a great deal of confusion about PCI compliance, on the part of merchants and hosting providers. Who’s responsible for what?
First, the merchant (web host) always remains responsible for compliance – to be certified. Their hosting provider (data center) is responsible within the scope of the infrastructure and services they provide to the merchant – for example, real estate (floor, electricity and controlled physical access). If a hosting provider also manages the merchant’s network, then they’re responsible for that specific scope of compliance.
Having said that, the merchant is required to monitor compliance of their service providers and manage any non-compliant risks, but a hosting provider’s PCI compliance isn’t mandatory for merchants to use that provider. As a merchant who accepts card payments for products or services, you are obligated to be PCI compliant – but not for the environment in it’s entirety, rather limited to the processing of the credit cards, storage of that data and their respective transmission gateways. To that end, PCI is technology neutral, meaning you don’t have to build out with specific infrastructure.
So what are the minimum requirements? A couple of servers. a firewall, logging, monitoring and IDS / IPS (intrusion detection and intrusion prevention systems) capabilities.