Knowledgebase
PCI Compliance
Posted by on 14 January 2015 06:14 PM

No matter where you host your website you must never allow credit card data to pass through your website. That includes credit card numbers, expiration dates, CCV numbers, and so on. The reason is that doing so requires you to maintain compliance with a complex and expensive system called PCI-DSS, described in more detail below.

Fortunately it’s easy to have a site that doesn’t actually process credit card data, and therefore doesn’t need to be PCI-DSS compliant. All you need to do is use an external credit card processing system. There are many such 3rd-party processors, and Touch Support holds no opinion on which you choose. That is, we neither recommend nor block those processors. Examples of these sorts of processors include (but certainly aren’t limited to): Authorize.NET, PayPal, Stripe, Braintree, Recurly, and Chargify.

Are Touch Support's services PCI-DSS compliant?

As long as no payment card data is stored, hosted, or otherwise processed by Touch Support, then Touch Support is compliant with PCI-DSS requirements. It is your responsibility to ensure that no such data is brought onto the Touch Support infrastructure.

Additionally, it’s not possible for a web hosting company or service provider to itself be “PCI compliant.” The reason is that compliance requires many things, including how you, the customer, control access to your site, what precautions you have on your source code, how you store data on disk and in your database, run certain kinds of security scans, transmit data across public networks, and so on. The bulk of these requirements are the responsibility of the site owner, as opposed to the physical web host. Therefore the host itself isn’t close to sufficient to be “compliant.”

Touch Support does have internal policies and procedures around human access, logging, security practices, physical access practices, and so on, which are a part of being PCI compliant but which don’t “make you compliant” automatically as a customer.

Because “compliance” is something that you as the customer are ultimately responsible for, and because any web host is limited in how it contributes to that compliance, we always recommend that you architect your site to not require PCI compliance at all, relying instead on services such as the ones listed above for all sensitive payment data, and thus alleviating the need for you to achieve compliance, and being more secure in the process.


Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).