Diff: FAQ #1221
Do shared hosting providers need to comply with PCI DSS?
Earlier Version
2018-08-14 00:00:00 UTC
2018-08-14 00:00:00 UTC
Later Version
2024-02-27 21:54:00 UTC
2024-02-27 21:54:00 UTC
Removed
Added
All service providers are responsible for meeting PCI DSS requirement 2s for their environments as applicable to the services offered to their customers.6 and In addition, PCI DSS Appendix A1: ?Additional PCI DSS Requirements for SharedMulti-Tenant Service Providers applies to multi-tenant service providers, which is a type of third-party service provider (TPSP) that offers various shared services to merchants and other service providers.
In PCI DSS v4.0, the title of Appendix A1 was updated to “Additional PCI DSS Requirements for Multi-Tenant Hosting Providers? is applica” to support the ble to all shared hostiroader rang providerse of technologies used to provide shared services. In PCI DSS v3.2.1, Appendix A1 whose customers storeas entitled ‘Additional PCI DSS Requirements for Shared Hosting Providers’.
Service providers that offer only shared data center services (often called co-location or “co-lo” providers),processwhere equipment, or transmit cardholder dataspace, and bandwidth are available on a rental basis, are not considered service providers for purposes of Appendix A1 in either PCI DSS v3. A shared hosting provider is one that houses multiple customers on the same server2. T1 or PCI DSS v4.0. In addition, these requirements for shared hostingmulti-tenant service providers are not applicable when servers are dedicated to a single customer (but all other applicable PCI DSS requirements do apply).
For additional information and applicable requirements for these To determine the applicablePSPs, refer to PCI DSS rAppendix A1: Additional PCI DSS Requirements for a given shared hosting provider, please contact a Qualified Security Assessor (QSA)Multi-Tenant Service Providers. The list of QSAs can be found athttps://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
Whether a service provider is required to validate PCI DSS compliance is determined by theindividualorganizations that manage compliance programs (for example, an acquirer, payment brands, or other entity). Entities should always contact their acquirer or the pa entityment brands that manages their compliance program directly to determine their compliance reporting requirements. Contact details for the payment brands can be found in FAQ #1142: How do I contact the payment card brands?
In PCI DSS v4.0, the title of Appendix A1 was updated to “Additional PCI DSS Requirements for Multi-Tenant Hosting Providers
Service providers that offer only shared data center services (often called co-location or “co-lo” providers),
For additional information and applicable requirements for these T
Whether a service provider is required to validate PCI DSS compliance is determined by the