Payment Card Industry Data Security Standard (PCI DSS) Compliance

PCI DSS is a security standard for organizations which handle card and cardholder data.

WebFaction Servers and Compliance

All WebFaction servers are designed to pass PCI security scans. If your website is implemented such that no vulnerabilities are introduced, a PCI security scan of your domain should pass. That said, there is more to PCI DSS compliance than passing a security scan. PCI DSS compliance depends heavily on the PCI merchant compliance requirements imposed for your organization.

Note

There is considerable disagreement among security professionals about how PCI DSS applies to web hosts. Furthermore, there is little clarification from the PCI Security Standards Council. As a result, you may see advice from other web hosts describing different requirements. This document can only be our recommendation, not an official determination, regarding PCI DSS compliance. Ultimately, the only official determination of what is required for your PCI DSS compliance is your payment service provider.

PCI DSS Merchant Classification

PCI DSS classifies merchants into several different levels and types based significantly on transaction volume and card handling methods. The various levels and types determine the manner and frequency of security audits and scans.

For most merchants, security audits take the form of a self-assessment questionnaire (SAQ) and quarterly security scans of any computers which handle card data. Be wary of web hosts who claim that their hosting is PCI compliant without specifying which levels, types and parts of compliance. Passing the security scans are only a portion of compliance.

Determining Your Needs

To determine your PCI DSS compliance needs, first you must contact your payment provider to find out whether you need a full independent assessment or if you are eligible for a self-assessment. Most merchants will be eligible to complete the self-assessment process, but some merchants, particularly those that process a very large volume of transactions or have previously suffered a security breach, will need to have an independent third party, a Qualified Security Assessor (QSA) carry out the audit.

If you are required to have a QSA carry out your audit, you should contact your payment provider or QSA for recommendations and how to proceed.

If you are not required to have a QSA carry out your audit, you must determine your SAQ validation type and, thus, which SAQ type (labeled A-D), you must complete.

Self-Assessment Questionnaires

Merchants operating websites typically must concern themselves with SAQ A, C, or D.

SAQ A

If you are eligible to complete SAQ A, then you probably will not be required to complete any security scans. You can use any of our plans and remain PCI DSS compliant.

SAQ C

If you must complete SAQ C then WebFaction hosting will be within the scope of compliance. All of our servers will pass the security scans associated with this SAQ. We cannot guarantee that they will pass on the first test, because it depends also on the design and implementation of your site, but WebFaction servers are set up such that a scan is not prevented from passing.

That said, passing the security scan is only part of the compliance process. The other part is answering Yes to every question in the questionnaire. We do not believe that it is possible for any shared or VPS host to be compliant with SAQ C as it is currently written, even if it passes the security scan.

For example, one SAQ C question is, Is access to system components and cardholder data limited to only those individuals whose jobs require such access? It it not clear how that question applies when multiple independent users share the same physical hardware. Under a strict reading of the question you would be forced to answer No.

Additionally, some payment service providers want a scan of every domain which points to the same physical server. In a shared or VPS hosting environment, there could be hundreds of domains belonging to dozens of users all pointing to the same physical server. Meeting such a requirement is not feasible. You must determine what your payment service provider requires and how it applies to shared hosting.

If you are required to complete SAQ C, you have these options:

  • If possible, change the way you process card payments to become eligible for SAQ A.
  • Use PCI DSS Compensating Controls. If you do not meet one or more requirements but put other controls in place which meet the rigor and intent of the original requirements, you may still be compliant. You must discuss with your payment service provider what controls they consider acceptable.

SAQ D

SAQ D is the highest level of PCI DSS compliance and is significantly more stringent than SAQ C. Becoming PCI DSS compliant to to this level should not be undertaken lightly. We do not think WebFaction’s service can provide such a level of compliance.

If there is a way for you to become PCI DSS compliance by SAQ C rather than SAQ D, you should.