2

I am trying to find clarification regarding PCI Compliance SAQ A-EP and third party hosting solutions.

In order to achieve SAQ A-EP PCI Compliance using "Hosting Company A" is it necessary for "Hosting Company A" to be a Certified PCI Compliant Service Provider?

Feel free to expand your response as necessary, but what I am hoping to find is a Yes or No answer and "why".

Anders
  • 64,406
  • 24
  • 178
  • 215
another-joe
  • 21
  • 1

1 Answers1

2

Yes, SAQ A-EP requires your hosting provider be validated to all applicable PCI DSS requirements.

To quote the SAQ A-EP itself (emphasis mine):

SAQ A-EP merchants confirm that, for this payment channel:

...

  • If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
  • All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s);
gowenfawr
  • 71,975
  • 17
  • 161
  • 198