PCI Requirement 2.6 – Shared Hosting Providers Must Protect Each Entity’s Hosted Environment
by Randy Bartels / June 30th, 2017
What is a Shared Hosting Provider?
PCI Requirement 2.6 exists to protect hosting environments. When multiple clients’ data is all on the same server, the security of the server often becomes susceptible to vulnerabilities. For example, one client could create insecure functions, but because the data is under the control of a single environment, the other clients’ data would also become compromised. This is why PCI Requirement 2.6 requires that shared hosting providers protect the cardholder data of every single entity’s hosted environment. PCI 2.6 states, “Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.”
There are two parts to PCI Requirement 2.6: first, determine whether your organization is a service provider, so that you can then determine whether or not you are a shared hosting provider. If your organization supports third-parties that interact with cardholder data, or if your organization is interacting with cardholder data in some capacity, or if your organization might have the ability to impact the security of cardholder data, then your organization is defined as a service provider. If your organization is hosting applications, hosting websites, or hosting anything on behalf of a third-party, and your organization has multiple clients on the same platform, that determines you are a shared hosting provider. So, PCI Requirement 2.6 is intended for hosting providers that provide shared hosting environments for multiple clients on the same server.
PCI Requirement 2.6 also focuses on Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers. If your organization is a shared hosting provider, then Appendix A1 is applicable to you. You should perform the testing procedures outlined in Appendix A1 to verify that you are appropriately protecting hosted environments and cardholder data.
If you have any questions about whether or not you’re a shared hosting service provider, we encourage you to start that conversation with your assessor, who could walk you through the process of how to categorize your organization.
PCI Requirement 2.6 Transcription
When we get to Requirement 2.6 within the PCI DSS, that’s really kind of a pointer down to Appendix A. Specifically for PCI DSS version 3.2, it’s Appendix A1. Requirement 2.6 says that if you’re a shared hosting service provider, Appendix A1 applies to you. If you’re interested in what those requirements are and what they mean, please have a look at those videos.
Requirement 2.6, pointing down to Appendix A, has to do with shared hosting service providers, so I want to take a few moments to describe to you what a shared hosting service provider is. If you’re an organization that is supporting third-parties that interact with cardholder data and you are interacting with cardholder data in some capacity, or you might have the ability to impact the security of it, you are defined as a service provider. The other part of that clause is the shared hosting service provider. If you’re hosting applications, hosting website, hosting anything on behalf of a third-party, and you have multiple clients on the same platform, that puts you into the shared hosting service provider category. That would also make Appendix A1 applicable to you.
If you have any questions on whether or not you’re a shared hosting service provider, take the opportunity to have that conversation with your assessor. I’m sure they’d love describing that and walking you through the process to fully identify whether or not you are a shared hosting service provider.
