Management and Hosting Company
February 15th, 2007 by datasecurity Posted in Card Brands, Compliance, Service Provider
Tom writes in to ask:
I work for a hosting and network management company and we have a prospect that is PCI compliant. As such they need for us to be PCI compliant. As we are not transacting directly but will be handling backups and their data. What tier of merchant should we consider ourselves and can we self assess?
Well, you are definately a service provider because you are providing services on behalf of merchants. This immediately means you cannot self assess. Only Level 1 (or Large) merchants can do this. Between Level 1 merchants and Level 1 service providers, only the Level 1 merchants can self assess. Level 2-4 merchants will always “self assess”.
The Level of service provider you are depends on the individual card associations. For example, Visa USA and MasterCard have different definitions and levels for service providers. You would need to determine which card association ranks you as a ‘higher’ level and that is what you are.
Seeing as you are a European service provider I would check Visa Europe’s site (PDF). I would also consult MasterCard’s site on service providers. If you were in the US I would advise you to read the site at Visa USA.
Also, don’t forget to read this post on web hosting compliance.
And finally, read this post to better understand what service providers are.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “Management and Hosting Company”
By Mark Mac Auley on Feb 16, 2007
If done correctly, and the costs are shared across multiple customers, then you have a nice business offering. The infrastructure set up to support this is straightforward, and not very difficult. The documentation can either be done by a contractor or as part of a 3rd party validation, or you may already have a lot of documentation if you have companies effected by SOX, GLBA, Basel-II, COBIT, etc. in your business.
Go through the PCI Spec bullet by bullet and figure out where you are. It shouldn’t take too long and you’ll know where you stand.
By datasecurity on Feb 16, 2007
Mark,
You make a good business point. Web hosting (especially shared hosting) providers cannot usually afford to make their entire environment PCI compliant. That would not be a good use of capital.
Instead, the company can set aside a number of servers and offer the PCI compliant hosting as a higher cost service, which helps defray the overall cost of compliance.
By msw70 on Feb 21, 2007
Actually, level 3 service providers (handling fewer than 1,000,000 Visa transactions per year) can self-assess. They do have to have network scans by an authorized scan vendor, but they can self-validate (see http://www.visa.com/cisp and follow the Service Provider link).
By msw70 on Feb 21, 2007
I also noticed that you indicate that “you cannot self assess. Only Level 1 (or Large) merchants can do this.” I think you meant to say that, for merchants, only Level 1 merchants *cannot* do this. Levels 2-4 can all self validate (again, see http://www.visa.com/cisp but follow the Merchants link).
Hope this helps…
By datasecurity on Feb 21, 2007
msw70, you are correct.
I should have said:
1) Of those Level 1 merchants and service providers, only Level 1 merchants can self-validate (and most do not.)
2) All Level 2-4 merchants “self validate” (although some hire a QSA to assist them, it is not required.
By slipstream on May 24, 2008
Shared hosting is not setup for secure credit card transactions and that is the first problem. If you are going to be saving sensitive data you need to step up your hosting service (from the $5 or $10/month shared hosting type plans) to a virtual private server (VPS) or an all out dedicated server. You can not expect a shared hosting company charging you $5/month or less to be PCI compliant (or compliant with other such security evaluation processes). Shared servers have customers sharing the same server (often using the same IP’s) only separated by a password. That means anyone who signs-up for the same host as you up is now on the same server that your customers sensitive data is on (does that sound like smart business?). Shared hosting is inherently insecure and is meant for small websites or starter businesses that are looking for cheap hosting with lots of features, not for businesses that are performing regular CC transactions and saving sensitive customer data. If you are performing regular financial transaction using your website… it’s time to bite the bullet and pay the extra $20/month to have a secure hosting platform.