PCI-DSS Compliant Hosting Requirements
The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents.
If you are a merchant that accepts credit cards for purchases online you are required to comply with the PCI-DSS requirements. All merchants fall into one of four merchant levels defined by the merchant’s transaction volume over a year.
Merchant Level | |
1 | Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
2 | Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. |
3 | Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. |
4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year. |
- Level 4 merchant is defined as “any merchant processing fewer than 20,000 Visa ecommerce transactions per year,” and is the most common small business merchant level.
- Level 3 merchants are classified as doing 20,000 to 1,000,000 transactions per year.
Your merchant level defines your PCI compliance validation options. Level 3 and Level 4 merchants are required by PCI-DSS requirements to complete a Self Assessment Questionnaire (SAQ) and to pass a quarterly network vulnerability scan. Level 4 merchants, however, may not be required by their merchant acquirer to fulfill either of these requirements. We’ll discuss this more later.
SAQ Validation Types
Every merchant is required to complete a Self Assessment Questionnaire (SAQ) to become certified as PCI compliant. There are five SAQ validation types that determine which of the four SAQ’s to complete.
We’ll look at SAQ validation types 1, 4, and 5, since all online ecommerce systems will fall into one of these categories.
Type 1
SAQ validation type 1 has the easiest requirements to meet. This validation type applies to ecommerce merchants where all cardholder data functions are performed by a PCI compliant third-party, such as PayPal.
No cardholder data can be stored or transmitted to qualify for this SAQ validation type. The purchaser must be redirected to the service provider’s website to complete the purchase.
SAQ validation type 1 does not require PCI compliant web hosting, however it may be necessary to complete the SAQ-A if the merchant services provider requires it. It’s likely that merchants of validation type 1 will not be required by their merchant acquirer to perform a quarterly vulnerability scan.
It’s likely that merchants of validation type 1 will not be required by their merchant acquirer to perform a quarterly vulnerability scan.
Type 4
SAQ validation type 4 applies to most ecommerce retailers. This validation type applies to ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing by the merchant acquirer.
No cardholder data can be stored to qualify for this SAQ validation type.
A simple example of a qualifying SAQ validation type 4 is an AbleCommerce 7.0 site using Authorize.Net to process transactions. Card-holder data is transmitted to a PCI compliant third-party for processing and no cardholder data is stored.
SAQ validation type 4 requires that all third-party service providers are certified as PCI compliant. The ecommerce merchant is required to perform due diligence to ensure the operating service provider is a PCI-DSS certified service provider. This includes the web hosting provider and data center.
SAQ validation type 4 merchants must complete the requirements of the SAQ-C. Due to additional complexities introduced by the SAQ-C requirements, including the fact that service providers must also be certified PCI compliant, traditional shared hosting options become impossible.
Type 5
SAQ validation type 5 applies to all ecommerce merchants that do not fall into validation types 1 or 4. The defining issue that separates a type 4 from a type 5 is the storage of cardholder data.
Merchants identifying themselves as eligible for validation type 5 must comply with the requirements in SAQ-D. These are the same requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers.
The SAQ-D requirements for PCI compliance are a very serious undertaking for even highly skilled IT professionals. Lawyers, CPAs, and other legal means may often be needed to draft PCI audit policies and procedures. The cost of validation type 5 PCI compliance can easily run over $50,000.
Becoming PCI Compliant
Acquirers (merchant account providers) are responsible for enforcing merchant compliance with the PCI requirements. Level 4 merchants may not be required by their acquirer to submit vulnerability scan reports or the SAQ, which is the case with PayPal Payments Standard.
If you are required to provide either the PCI scan or SAQ, you will be notified by your merchant provider. The notice will be delivered in the form of postal mail and will include your merchant level and compliance requirements with regards to the SAQ and vulnerability scans.
Merchants that do not meet the requirements of the PCI-DSS may also be fined by the merchant acquirer. Often called a compliance fee, this charge can range from $19.95 to several thousand dollars monthly.
Type 1 (SAQ-A)
SAQ validation type 1 has the lowest level of hosting requirements. In this case the payment system, such as PayPal, is the only system involved with the cardholder data transaction. The main website does not need to be hosted with a PCI compliant service provider.
An example of an ecommerce SAQ validation type 1 merchant would be an AbleCommerce 7.0 based site using the PayPal Website Payments Standard payment option. All cardholder data are being processed trough the PayPal website and no cardholder data is stored or otherwise transmitted by the originating ecommerce website.
If necessary, the SAQ-A will need to be completed and delivered to the merchant acquirer to complete the PCI Compliance process.
Type 4 (SAQ-C)
SAQ validation type 4 merchants have very specific requirements which mandate the use of certified PCI compliant third party service providers such as web hosting companies and data centers (SAQ-C 12.8).
The many barriers to becoming a PCI compliant service provider eliminates the merchant’s shared hosting options, and all but mandates the use of a dedicated server to achieve PCI-DSS compliance under the SAQ-C. Restrictions placed on PCI compliant web hosting providers make it impossible to offer a PCI compliant, multi-tenant shared hosting environment.
As a result, many type 4 merchants maintain a PCI SAQ-C compliance using a fully managed PCI compliant hosting environment hosted with a PCI compliant data center. In this scenario, the ecommerce application (AbleCommerce, AspDotNetStorefront, Znode etc.) would reside on the dedicated server and communicate cardholder data to a third-party payment processor, such as Authorize.Net. No cardholder data can be stored by the merchant in this scenario.
Vendors such as Comodo can provide the PCI vulnerability scans and PCI compliance certificates, as well as a wealth of information to help you pass your PCI-DSS requirements.
The SAQ-C, along with the successful completion of the quarterly vulnerability scan, should be submitted to your merchant account provider to show compliance with the requirements of PCI-DSS.
Type 5 (SAQ-D)
The SAQ Validation Type 5 is the highest level of PCI compliance and is the same level required by PCI-DSS certified service providers. An example of this level of compliance would be a managed, PCI compliant product from Drundo. Drundo is a PCI compliant service provider capable of managing this level of PCI compliance for their clients.
A typical Drundo SAQ-D PCI compliant hosting arrangement would include the following specs:
- Managed Firewall
- Dedicated Windows 2008 R2 Web Server
- Dedicated Microsoft SQL 2008 R2 Database Server
- File integrity monitoring
- Log management service
- Intrusion detection system
- 5 private dedicated IPs
The configuration of your ecommerce application to use such an environment and the tuning of a multi-system hosting environment for advanced ecommerce applications such as AbleCommerce are the responsibility of the merchant.
The SAQ-D will need to be completed along with the many information security policies that it requires to be publicly and privately maintained. This hosting system will also be required to pass a quarterly network vulnerability scan to be PCI-DSS compliant.
The best advice one can give to a SAQ validation type 5 merchant is, unless is absolutely necessary do not store credit card numbers data in your ecommerce system!
The primary factor that distinguishes type 4 from type 5 for ecommerce merchants is the storage of cardholder data. Unless this is absolutely necessary it should be removed from the business model.