
What is a Shared Hosting Provider?
PCI Requirement 2.6 exists to protect hosting environments. When multiple clientsâ data is all on the same server, the security of the server often becomes susceptible to vulnerabilities. For example, one client could create insecure functions, but because the data is under the control of a single environment, the other clientsâ data would also become compromised. This is why PCI Requirement 2.6 requires that shared hosting providers protect the cardholder data of every single entityâs hosted environment. PCI 2.6 states, âShared hosting providers must protect each entityâs hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.â
There are two parts to PCI Requirement 2.6: first, determine whether your organization is a service provider, so that you can then determine whether or not you are a shared hosting provider. If your organization supports third-parties that interact with cardholder data, or if your organization is interacting with cardholder data in some capacity, or if your organization might have the ability to impact the security of cardholder data, then your organization is defined as a service provider. If your organization is hosting applications, hosting websites, or hosting anything on behalf of a third-party, and your organization has multiple clients on the same platform, that determines you are a shared hosting provider. So, PCI Requirement 2.6 is intended for hosting providers that provide shared hosting environments for multiple clients on the same server.
PCI Requirement 2.6 also focuses on Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers. If your organization is a shared hosting provider, then Appendix A1 is applicable to you. You should perform the testing procedures outlined in Appendix A1 to verify that you are appropriately protecting hosted environments and cardholder data.
If you have any questions about whether or not youâre a shared hosting service provider, we encourage you to start that conversation with your assessor, who could walk you through the process of how to categorize your organization.
PCI Requirement 2.6 Transcription
When we get to Requirement 2.6 within the PCI DSS, thatâs really kind of a pointer down to Appendix A. Specifically for PCI DSS version 3.2, itâs Appendix A1. Requirement 2.6 says that if youâre a shared hosting service provider, Appendix A1 applies to you. If youâre interested in what those requirements are and what they mean, please have a look at those videos.
Requirement 2.6, pointing down to Appendix A, has to do with shared hosting service providers, so I want to take a few moments to describe to you what a shared hosting service provider is. If youâre an organization that is supporting third-parties that interact with cardholder data and you are interacting with cardholder data in some capacity, or you might have the ability to impact the security of it, you are defined as a service provider. The other part of that clause is the shared hosting service provider. If youâre hosting applications, hosting website, hosting anything on behalf of a third-party, and you have multiple clients on the same platform, that puts you into the shared hosting service provider category. That would also make Appendix A1 applicable to you.
If you have any questions on whether or not youâre a shared hosting service provider, take the opportunity to have that conversation with your assessor. Iâm sure theyâd love describing that and walking you through the process to fully identify whether or not you are a shared hosting service provider.