We spend a lot of time talking about PCI compliance here on the blog. And we have lots to say- there are so many little facets on the way to compliance that the conversations fall all over each other to be heard. So, we looked to the questions being asked by our customers, wanting to know what people who need the compliance really cared about, or what they needed some clarification on.
One of the biggest things we found was that many people who started conversations with us about PCI compliant hosting actually didn’t need it. The general presumption was that if a company sold things on their website, they would need PCI compliance for their hosting environment. That’s not necessarily the case, however.
At a high level, any company that is going to accept credit card payments, and store, process, and/or transmit cardholder data will need to follow the PCI DSS put forth by the PCI SSC (Payment Card Industry Security Standards Council). Anyone with the ability to access the servers that hold a company’s cardholder data will need to be compliant as well. This means that e-commerce businesses and app developers that accept credit card data are going to have to think about PCI, to name just a few.
However, some companies use third party payment processors, like Google Checkout, Braintree, or Authorize.net. These payment processors move customers onto their site for the online payment that occurs. This means that the cardholder data is actually on the third party’s servers, in an environment that’s compliant. This option takes the merchant’s site out of scope, and means that the hosting for their site does not have to be in a compliant environment, because they aren’t processing, storing or transmitting cardholder data.
If a company is using any merchant-managed e-commerce implementation, whether it’s custom developing their own payment application or using a commercial shopping cart that they host, they’ll need a compliant environment for their hosting. Drawing out a plan to better understand what implementation you have prior to speaking with a hosting provider will give you a better idea of what you need, so you can confidently walk into that discussion with a plan in mind.
If you want more information about the different e-commerce implementations that are out there to be used, and suggested PCI DSS guidelines, check out the supplement that came out last month from PCI SSC, PCI DSS E-Commerce Guidelines. Also, we have a webinar Tuesday, February 26th at 2pm that goes over recent updates to PCI compliance that should help elucidate questions about PCI compliance. Sign up for it online here.