PCI DSS hosting is a service in which an IT hosting company hosts an IT solution (such as a PoS or accounting application) in such a way that the solution complies with the Payment Card Industry Data Security Standard. It can help businesses to comply with PCI DSS that don’t have the budget or in-house technical expertise to do so by themselves, or that want to decrease the cost or difficulty of complying with PCI DSS.
PCI DSS is a set of data security standards that are developed and enforced by the Payment Card Industry Security Standards Council (PCI SSC), which is run by five of the world’s largest payment card brands: American Express, Discover, JCB International, MasterCard, and Visa. Any business that processes, stores, or transmits payment cards is required to comply with PCI DSS. If a business fails to comply with PCI DSS, it can be penalized by having its ability to accept payment cards as payment being taken away, with increased payment processing fees, or fines in the tens or hundreds of thousands of dollars.
The most recent version of PCI DSS is PCI DSS 3.2, released in April 2016. It’s currently organized into six main security goals, 12 main security requirements, and more than a hundred sub-requirements. The requirements of PCI DSS include:
Implementing and configuring firewalls
Using encryption when sending payment card data over the Internet
Implementing and maintaining antivirus software
Regularly scanning your networks and systems for vulnerabilities, and removing any vulnerabilities you discover as soon as possible (including by installing security updates for your applications and operating systems)
Implementing an authentication system that requires all employees to log in to the cardholder data environment (CDE) with a unique username and password
Following best practices for authentication, including deleting the accounts of former employees immediately after they leave the company and requiring users to select new passwords every 90 days
Implementing physical security measures such as video cameras or ID card scanners to prevent unauthorized individuals from accessing the hardware of the CDE or any paper documents with payment card data on them
Securely disposing of electronic storage media (including hard drives, tape drives, and optical disks) and paper documents containing payment card data, for example by shredding them
Implementing a logging system that logs all noteworthy events in the CDE (instances of user access to payment card data, any actions performed by users with root or administrative-level privileges, etc.), and regularly inspecting the resulting logs
Implement and maintain
Performing internal and external network vulnerability scans every four months
Performing external and internal penetration tests every year
Implement intrusion detection and prevention systems (IDS/IPS) and change detection systems
Implementing and maintaining a security policy
Implementing and maintaining an incident response plan
(For detailed descriptions and explanations of all of the requirements of PCI DSS and some advice on how to comply with them, you can check out our “Beginner’s Guide to PCI DSS.” You can also find the full version of PCI DSS 3.2 on the PCI SSC’s website.)
PCI DSS hosting helps businesses to comply with PCI DSS because it comes with security measures that satisfy most of the PCI DSS’s requirements. For example, most hosted solutions, even those that haven’t been designed to comply with PCI DSS, come standard with PCI DSS-compliant features such as authentication (login) systems, and many hosting companies already comply with many aspects of PCI DSS without having to do anything different, since they already regularly scan their networks and systems for vulnerabilities, follow authentication best practices, implement and maintain physical security measures at their datacenters, securely dispose of electronic storage media, implement and maintain logging systems, regularly perform vulnerability scans and penetration tests, implement and maintain intrusion detection systems (IDS/IPS) and change detection systems, and implement and maintain security policies and incident response plans.
With a PCI DSS hosting service, in addition to these default security measures, hosting companies will also include additional security measures to ensure that a hosted solution is fully compliant with PCI DSS, such as specially-configured firewalls and antivirus software.
Oftentimes, PCI DSS hosting will not by itself make a business compliant with PCI DSS. However, in some cases all a business that signs up for PCI DSS hosting will have to do is create security policies and incident response plans and ensure that all of its employees, contractors, and partners understand and are capable of following them. Everything else will be taken care of the hosting company, including implementing and configuring all of the advanced security measures (which a lot of businesses, especially small businesses that don’t have any fulltime IT employees, would not be able to do by themselves), and constantly monitoring and maintaining these security measures (which many businesses’ employees might not have time for).
In addition to making complying PCI DSS easier, PCI DSS hosting can also decrease the cost of complying with PCI DSS. This is mainly because with PCI DSS hosting you’re sharing the costs of all of the hosting company’s security measures with all of the hosting company’s other customers.
Other benefits of PCI DSS hosting include increased security, increased accessibility (hosted IT solutions can be accessed from anywhere with any Internet-connected computer, tablet, or smartphone), increased reliability (hosting companies monitor and maintain their hosted solutions around-the-clock and implement downtime-prevention measures such as redundant Internet, power, and networking hardware, UPSs, and backup diesel generators), and increased scalability.
To sign up for PCI DSS hosting, simply contact your preferred IT hosting company.