PCI-Compliant Hosting
What Is PCI-Compliant Hosting? Definition and How It Works
Definition
PCI-compliant hosting is infrastructure that meets the technical and operational security requirements of the Payment Card Industry Data Security Standard for environments that store, process, or transmit cardholder data.
How it works
PCI DSS defines 12 requirement categories covering network security, access control, encryption, vulnerability management, monitoring, and security testing. A hosting environment is PCI-compliant when it meets the applicable subset of these requirements for the system components within scope.
PCI scope is determined by what cardholder data flows through or is stored in the hosting environment. Hosting that processes or stores raw card numbers (PANs), CVV values, or full track data is in full PCI scope. Hosting that only handles tokenized references or encrypted data blobs may have reduced scope, but the encryption and tokenisation systems themselves remain in scope.
Cloud hosting environments (AWS, Azure, GCP) offer PCI-compliant infrastructure options, but cloud provider certification does not automatically make a merchant's application PCI-compliant. The provider's responsibility covers physical data centre security, hypervisor isolation, and network controls. The merchant remains responsible for the application layer: how data is stored, transmitted, and protected within the environment.
PCI compliance for hosted environments is validated through an annual assessment. Merchants with lower transaction volumes complete a Self-Assessment Questionnaire (SAQ) aligned to their integration type. Merchants above 6 million transactions annually (PCI Level 1) require a third-party Qualified Security Assessor (QSA) audit and an annual Report on Compliance (ROC).
Why it matters
Cloud hosting does not inherit the provider's PCI certification: AWS, Azure, and GCP are PCI-certified for their infrastructure layer. Merchants running applications on these platforms must validate the application and configuration layer separately. "Our servers are in AWS" is not a PCI compliance statement.
Scope reduction is achievable through architecture: merchants who route card data through a third-party PCI-certified provider (tokenisation, hosted payment page) can significantly reduce the footprint of their own PCI-compliant hosting requirements. Minimising the scope of in-scope systems reduces audit complexity and cost.
Shared hosting is not PCI-compliant for card data: hosting environments where multiple tenants share infrastructure without full isolation are not appropriate for environments storing or processing cardholder data. Dedicated or properly isolated cloud environments are required.
Annual re-validation is mandatory: PCI compliance is not a one-time certification. Environments must be re-assessed annually, and merchants must demonstrate continuous compliance throughout the year, not just at the point of assessment.
With PXP
PXP operates PCI DSS Level 1-certified infrastructure for all card data processing and storage on its platform. Merchants using PXP's hosted payment page or tokenisation services remove card data handling from their own environment entirely, reducing their PCI-compliant hosting obligations to the residual systems that interact with tokens and transaction references.
Frequently asked questions
What does a cloud provider's PCI certification actually cover?
Major cloud providers (AWS, Azure, GCP) certify their infrastructure layer: physical data centre security, network controls, hypervisor isolation, and shared service security. Their certification does not cover the merchant's application code, database configuration, access controls, or data handling practices running on top of that infrastructure. Merchants are responsible for the application and configuration layer.
What is the difference between PCI scope and PCI compliance?
PCI scope defines which systems, components, and processes are subject to PCI DSS requirements because they store, process, or transmit cardholder data, or are connected to systems that do. PCI compliance means those in-scope systems meet all applicable PCI DSS requirements. Reducing scope, by tokenizing card data or using a hosted payment page, is a legitimate strategy to make compliance more manageable.
Do merchants need separate PCI-compliant hosting for test and production environments?
Yes. If a test environment processes real cardholder data (which should be avoided), it is in PCI scope. If it uses only test card numbers, it is out of scope. The best practice is to use synthetic test data exclusively in non-production environments, which keeps development and staging infrastructure out of PCI scope entirely.
How often does PCI-compliant hosting need to be re-validated?
PCI DSS requires annual validation, but compliance must be maintained continuously throughout the year. This includes quarterly vulnerability scans by an Approved Scanning Vendor (ASV), annual penetration testing, and ongoing compliance with all 12 requirement areas. A gap in any of these activities during the year means the environment was out of compliance even if the annual assessment was completed.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started