PCI compliant hosting is one of the key aspect you need to look for when you plan to host some of the credit card data of your customers at hosting providers site. Some of the key aspects you should look for from a PCI DSS Compliance perspective are (to qualify a service provider as PCI compliant hosting provider):
- The hosting provider should support / allow the periodic pci scans/ vulnerability scans /asv scans
- Shared hosting providers must protect each entity.s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.
Specific to the payment card industry data security standard or commonly known PCI standard the following requirements should be met by the PCI Compliant Hosting provider:
- 1.1 Establish firewall and router configuration standards and all the sub controls
- 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment and all the sub controls
- 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment and all the sub controls
- 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards and all the sub controls
- 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.
- Requirement 5: (5.1 an 5.2) Use and regularly update anti-virus software or programs
- 6.1 Ensure that all system components and software have the latest vendor-supplied security patches
installed. Install critical security patches within one month of release.
- 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by
PCI DSS Requirement 2.2 to address new vulnerability issues.
- 6.6 on the web application firewall requirement, if applicable
- 8.3 You might need to consider this if it is applicable
- 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components and some of the sub controls
- Requirement 9: Restrict physical access to cardholder data and all sub controls. This is a key component as all the physical security is the responsibility of the hosting provider
As per my view, this list covers most of the requirements to be met by the service provider to be classify as PCI Compliant Hosting