March 30th, 2017

PCI Compliance Qs & As

The Payment Card Industry Data Security Standard (PCI DSS) is not just a mouthful – it’s also a set of security standards that any organization that accepts, processes, stores or transmits payment card information must follow in order to develop and maintain a secure and compliant environment. Sounds fairly reasonable, certainly, but many hosting providers and their customers struggle with understanding the true depth and breadth of PCI compliance. Too often, their omissions or mistakes aren’t uncovered until the dreaded PCI audit or – even worse – customer data breach comes to pass.

To help you better understand PCI compliance requirements – and any associated risks – we’ve developed a list of common questions and answers below.

Question: How do I know which PCI compliance ‘level’ my company is?

Answer: PCI compliance levels are based on payment card transaction volume over a 12-month period. As of today, the guidelines are:

  • Merchant level one: 6 million+ payment card transactions / year (any type of transaction)
  • Merchant level two: 1 – 6 million payment card transactions / year (any type of transaction)
  • Merchant level three: 20,000 – 1 million payment card e-commerce transactions / year
  • Merchant level four: Fewer than 20,000 payment card e-commerce transactions / year; all other merchants processing up to 1 million payment card transactions a year (any type of transaction)

Question: Everyone talks about credit cards with regards to PCI compliance. What about debit cards?

Answer: Don’t be fooled by semantics. Cards that fall under PCI compliance regulations include credit, debit and any pre-paid cards with a Visa International, MasterCard, American Express, Discover or JCB logo.

Question: My potential client wants to perform a PCI compliance scan of our hosting infrastructure before signing. What should I expect?

Answer: A PCI compliance scan, in and of itself, is fairly straightforward. There is a list of approved ‘scan vendors’ maintained by the PCI Security Council, one of whom will assess your environment for any security gaps and provide recommendations for improvement. However, even if your scan comes back clean, you should still be equipped to answer questions and provide details about your infrastructure to your potential client. Be ready to deliver network maps, access logs and firewall rules, among other particulars.

It’s important to note that a clean PCI compliance scan, confusingly, does not ensure you are PCI compliant. Your client will likely be savvy enough to press for more information, and you and your managed hosting provider should be poised to comply.

Question: We were PCI compliant a year ago. Are we still PCI compliant?

Answer: Great question. The regulations change frequently and your environment must be reviewed periodically by PCI compliance experts. Unintended changes that compromise the infrastructure can be missed without continuous oversight. Talk to your hosting provider about the services they offer to ensure your organization remains PCI compliant.

Question: How much of the ‘PCI compliance burden’ should I expect my hosting provider to shoulder?

Answer: Good hosting providers who are renowned for helping their customers attain and maintain compliance will be ready to take on anything you might throw at them. Bad hosting providers won’t.

Three of the PCI compliance services that are commonly provided by, for instance, include:

  • Assessing your environment and recommending solutions for any PCI compliance gaps
  • Deploying security controls to ensure you meet regulatory requirements
  • Continuously monitoring your infrastructure via vulnerability scans, threat and log management and penetration testing.

Simply, your provider should want to make sure your business succeeds as much as you do. If they’re not being proactive about PCI compliance, or if they don’t seem to be equipped to handle complexities of this nature, it might be time to start looking around for alternatives.



If there’s any doubt in your mind about your organization’s PCI compliance stature, contact us today to schedule a free, no strings attached PCI compliance risk assessment. Don’t delay: this offer is only good for the first 20 organizations that reach out.