In this KB
- Introduction to PCI
- Importance of PCI
- Is Cloudways a PCI-DSS compliant solution?
What is PCI?
PCI stands for Payment Cards Industry. PCI Compliance is an essential requirement for organizations and e-commerce stores for information security handled by Credit Card/Debit service providers (VISA, Mastercard, AMEX etc). PCI ensures that all transactions are secure and protected.
There are many different aspects for checking PCI compliance. Some common requirements are listed below:
- Public and secure network.
- Safeguard and secure sensitive data of cardholders.
- Maintain and upgrade a vulnerability management program.
- Sturdy implementation of access control measures.
- Continuous monitoring against security vulnerabilities on networks.
- Information Security Policy installation and maintenance.
Why is PCI Important?
Any application or website that uses a transaction system that relies on credit card information being processed or stored requires compliance with PCI. Otherwise, they will have to deal with consequences from various Credit Card companies.
If customers have Credit Card transactions handled via a third-party service on their website, they will need to be PCI compliant.
Is Cloudways a PCI-DSS Compliant Solution?
Although this is a common query, there is no simple Yes or No answer. The fact is that a managed web-hosting platform by itself can’t be deemed PCI compliant. The reason is that compliance depends on many things including but not limited to the customer and whether they consider the following:
- Control of access to the site
- Precautions taken in the application code
- How data is stored on hard drives and databases
- Running specific security scan checks etc.
In other words, most of these requirements are primarily the responsibility of the customer as opposed to the web hosting service. With that being said, as Cloudways is a managed web hosting company on top of different cloud infrastructure providers like Amazon, GCE, Vultr and DigitalOcean, PCI compliance is dependent on that as well.
For instance, the underlying servers of GCE (Google Compute Engine), Amazon AWS and Linode infrastructure providers at Cloudways are PCI-DSS (Data Security Standard) level 1 compliant hardware.
However, this isn’t enough. As mentioned earlier, a PCI compliant organization must have applications that are deployed in accordance with the PCI standard.
For reference, following are some factors that determine PCI compliance and whether it is required are:
- Whether the application stores cardholders’ information?
- Which users have access to application and data?
- Does the entire website uses secure HTTPS encryption?
- Whether regular security patches and updates for plugins and applications are applied regularly?
If you are still unclear about the situation or have further queries in this regard, please contact support team for more details.