My company is in the process of selecting a Web hosting company for our website and we're trying to determine how...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
PCI DSS should affect our decision. What should we be aware of when looking for a PCI-compliant Web hosting company?
Ask the expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Presumably the Web hosting company will be involved in processing credit card transactions for the website. If this is the case, they clearly qualify as a service provider under the provisions of PCI DSS, and there are specific contractual obligations that you must follow to ensure that your organization remains PCI DSS compliant.
First, you must have a written agreement with your service provider which acknowledges that it will remain PCI DSS compliant for all interactions with cardholder information performed on behalf of your company. This may be handled by a PCI DSS clause in the contract for services or in a separate written agreement.
Second, clearly identify which elements of PCI DSS are addressed by the service provider and which are addressed by internal controls. This requirement is designed to prevent controls from slipping through the cracks, with each entity believing that compliance is the other entity's responsibility.
Third, annually validate that the service provider is PCI DSS compliant. You may do this by verifying its inclusion on the Visa Global Registry of Service Providers or by requiring the service provider to submit documentation attesting to its compliance.
Finally, you are responsible for maintaining documentation about the relationship with the service provider. This includes keeping a list of service providers that you use, maintaining the list of PCI DSS responsibility divisions and maintaining a formal process for selecting service providers that includes proper due diligence.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.