The Payment Card Industry Data Security Standards are rules devised by leading members of the credit card industry, including Visa, Mastercard, and American Express. The standards describe the security measures that must be in place for any business that accepts, transmits, or stores cardholder data, even if they use a third-party payment provider.

PCI-compliant hosting provides a foundation for building compliant applications. The physical and network security is engineered to comply with PCI standards, and processes are in place to ensure that the infrastructure remains compliant. It should be understood that PCI-compliant hosting does not guarantee compliance because the hosting provider cannot control the code that you run on the server. However, PCI-compliant hosting does make it cheaper and faster to comply with the PCI DSS.

The PCI DSS comprises six security goals with 12 requirements in total:

• Build and maintain a secure network.
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect Cardholder Data
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
• Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
• Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
• Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
• Maintain an Information Security Policy
  • Maintain a policy that addresses information security for employees and contractors.

To comply with the PCI DSS, your business’s infrastructure, networks, processes, and software must comply with the goals and standards of the credit card industry. Additionally, businesses must be able to prove that they are compliant.

For most businesses, that means completing a Self-Assessment Questionnaire, which includes an Attestation of Compliance. Larger companies—those that process more than 6 million transactions a year—must complete a third-party audit with a qualified security assessor (QSA).

Businesses are responsible for making sure their infrastructure and software comply, even if they use a third-party hosting provider. Ultimately, your business is accountable, and it is your business that will be fined in case of a security breach. However, a trustworthy third-party PCI-compliant hosting provider can reduce the cost and effort of PCI-compliance by building and maintaining compliant data centers, networks, and servers.

According to a recent report from Verizon, only 39 percent of US organizations are PCI compliant. Non-compliance exposes those businesses to fines that vary from $5,000 to $100,000 per month. But fines aren’t the only cost of non-compliance. If a business is not PCI-compliant, its infrastructure is insecure. If there is a security breach and credit card data is stolen, the cost may be much higher and include lawsuits, legal fees, and damage to the organization’s reputation. Massive breaches can cost hundreds of millions of dollars in fines and other payments.

Merchants are divided into levels according to how many credit card transactions they process each year.

• Level 1 – Over 6 million transactions per year
• Level 2 – Between 1 and 6 million transactions per year
• Level 3 – Between 20,000 and 1 million transactions per year
• Level 4 – Less than 20,000 transactions per year

Although these criteria are accurate, individual credit card company may apply alternative criteria that affect a merchant’s level, so be sure to look into the rules that apply to your business.

A merchant’s level determines the actions they must take to demonstrate compliance. Level 2,3, 4 merchants should complete an Annual Self-Assessment Questionnaire and a quarterly network scan by an Approved Scan Vendor (ASV). Level 1 merchants are required to undergo an Annual Report on Compliance (ROC) by a Qualified Security Advisor (QSA).