Understanding and complying with the highest levels of PCI compliance is a crucial part of our role as a managed Windows hosting provider. Attaining compliance involves a different set of requirements for different organizations—something not always simple to understand. Below is a breakdown to clearly define what PCI-DSS is and what is required for your specific organization.

What is PCI?
From Visa: "The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of international security requirements for protecting cardholder data. The PCI DSS was developed by Visa® and the founding payment brands of the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis."

Who needs to be PCI compliant?
From Visa: "All Visa acquirers and issuers must comply, and must also ensure the compliance of their merchants and service providers who store, process, or transmit Visa account numbers. This program applies to all payment channels including card present, mail/telephone order, and e-commerce."

Yes, that means everyone.

Are there multiple levels of PCI compliance?
There are two categories of those needing PCI compliance, and multiple levels within those categories, broken down as follows:

Merchants: There are four levels for merchants ranging from Level 4 (less than 20,000 transactions per year) to Level 1 (over 6 million transactions per year).

Service Providers: There are two levels for service providers - Level 2 which requires a self-assessment and a quarterly remote network scan, and Level 1 which additionally requires a thorough on-site audit by an authorized third party.

Is your web hosting PCI compliant?
There are a growing number of hosting companies who claim PCI compliance. Be sure to understand what a web host means by PCI hosting and at which level they are certified.

From my research, I've seen a lot of hosting that claims to be PCI compliance but when you explore the details, you find that they can make this statement because they tell clients to off-load their card processing to a third-party. If the third-party is compliant, and no transactions are actually processed at the web host, they don't have to assure compliance with the strict PCI security standards. Is that PCI hosting? Not really because all it does is avoid the issue and push it outside the actual hosting service. Is that okay? Yes, it likely is for small vendors who want low-cost solutions and don't mind offloading their credit card processing to a third-party like PayPal.

How can you tell if your host is really compliant? Just ask them. If they are Level 1 compliant service provider they should be able to provide a copy of their Certificate of Validation from their most recent annual audit. If they cannot do this, they likely only performed a self-assessment and called themselves compliant without external validation.

Is OrcsWeb PCI compliant?
Yes, OrcsWeb has the highest level of PCI DSS v1.2 certification. We maintain strict security standards and are validated annually by a qualified third-party who performs both a thorough on-site analysis and also remote network scanning. But don't take my word for it - feel free to ask to see our Certificate of Validation confirming our compliance if you are looking for PCI hosting.

If your host is PCI compliant, are you automatically compliant?
No. There are certain PCI requirements that need to be met directly by businesses over and above the hosting environment. There are things like ensuring use of SSL, encrypting card holder data, and controlling access to data, to name afew. These are features and functions of the ecommerce application, and arealso impacted by the business' internal corporate processes.

Also, a PCI compliant service provider likely has some compliant and non-compliant services. For example, if you want the highest level of security and compliance then you are going to need a dedicated network segment and firewall - this is not something that comes by default, or is even always feasible, with every level and type of product. Be sure to check with your host to properly communicate your needs and also understand their offerings.

For more information about OrcsWeb's solutions, visit our PCI compliant hosting page. Give us a call or send us an email at 1-888-313-9421, sales@orcsweb.com to request a copy of our Certificate of Validation and discuss how we can develop a PCI Compliant solution specific to your individual needs.