Frequently Asked Question

Do shared hosting providers need to comply with PCI DSS?

PCI DSS requirement 2.6 and Appendix A1: “Additional PCI DSS Requirements for Shared Hosting Providers” is applicable to all shared hosting providers whose customers store, process, or transmit cardholder data. A shared hosting provider is one that houses multiple customers on the same server.  These requirements for shared hosting providers are not applicable when servers are dedicated to a single customer (but all other applicable PCI DSS requirements do apply).

To determine the applicable PCI DSS requirements for a given shared hosting provider, please contact a Qualified Security Assessor (QSA). The list of QSAs can be found at

Whether a service provider is required to validate PCI DSS compliance is determined by the individual payment brands. Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?

August 2018
Article Number: 1221