Frequently Asked Question
Do shared hosting providers need to comply with PCI DSS?
PCI DSS requirement 2.6 and Appendix A1: “Additional PCI DSS Requirements for Shared Hosting Providers” is applicable to all shared hosting providers whose customers store, process, or transmit cardholder data. A shared hosting provider is one that houses multiple customers on the same server. These requirements for shared hosting providers are not applicable when servers are dedicated to a single customer (but all other applicable PCI DSS requirements do apply).
To determine the applicable PCI DSS requirements for a given shared hosting provider, please contact a Qualified Security Assessor (QSA). The list of QSAs can be found at https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
Whether a service provider is required to validate PCI DSS compliance is determined by the individual payment brands. Entities should always contact their acquirer or the payment brands directly to determine their compliance reporting requirements. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?