We frequently get asked if Kinsta offers PCI compliant hosting and so today we’ll dive into this topic. Many don’t realize that every e-commerce store that processes, stores, or transmits credit card data is required to be PCI compliant, regardless of their annual sales volume. So it’s important to take some time and better understand PCI compliance and how it impacts your business.

What is PCI?

The term PCI stands for “Payment Card Industry.” You’ll often hear it in the context of PCI DSS — the Payment Card Industry Data Security Standard. This is a set of security standards for any company that accepts, stores, or transmits credit card data, created to protect consumers and ensure payment data is handled securely.

Companies like American Express, Discover, JCB International, MasterCard, and Visa have their own compliance programs, but they all follow the rules set by the PCI Security Standards Council (of which they are founding members).

In March 2022, PCI DSS version 4.0 was released, replacing the older 3.2.1 standard. The new version focuses on strengthening security and offering more flexibility in how businesses meet compliance goals. Key changes include:

  • A new “customized approach” to compliance, alongside the traditional checklist-based model
  • Mandatory multi-factor authentication (MFA) for all access to cardholder data environments
  • An increased focus on security as a continuous process, not a one-time fix
  • Enhanced requirements for securing e-commerce platforms and web applications — especially relevant for WordPress and WooCommerce sites

If you’re managing payments or customer data on your WordPress site, it’s important to understand how these changes affect your responsibilities under PCI DSS.

Does Kinsta offer PCI compliant hosting?

It’s important to understand that just because a host might be PCI compliant, that doesn’t automatically mean your website is. That’s because PCI DSS compliance follows a shared responsibility model.

As a managed WordPress hosting provider, Kinsta is responsible for securing the server infrastructure, keeping operating system patches up to date, enforcing strict network-level protections, and supporting secure TLS (HTTPS) connections. However, everything above the infrastructure layer — such as securing your WordPress installation, managing plugins and themes, handling payment information, and properly configuring your site — falls under your control.

In practice, that means the majority of the responsibility still rests with you as the website owner. For example, if you’re running a WooCommerce store, you’re responsible for handling customer data, processing credit cards, securing user accounts, and maintaining your site’s codebase.

Kinsta does not guarantee PCI compliance, and we cannot audit your site to verify whether your implementation meets the requirements. However, that doesn’t mean you can’t be PCI compliant while hosting with us.

Many of our clients have worked with third-party auditors to successfully pass PCI compliance scans. In some cases, we’ve made a few minor infrastructure adjustments upon request, but the audits were passed through a combination of client-side configuration and third-party guidance.

While we don’t participate directly in the audit process, we’re happy to help with specific changes where needed.

How to be compliant

Here are a few best practices to ensure you’re compliant at Kinsta:

1. PCI self-assessment questionnaire

Fill out a Self-Assessment Questionnaire (SAQ) annually to help you determine if your payment processing setup is PCI compliant.

2. TLS and HTTPS

Serve your payment pages securely using TLS 1.3 (preferred) or TLS 1.2 to enable HTTPS (encrypted connections). PCI DSS 4.0 requires a secure TLS configuration, including strong cipher suites and regular security assessments. Kinsta always keeps TLS versions up to date on our servers, and you can easily install an SSL certificate from your MyKinsta dashboard.

Here’s how to install the SSL certificate on WooCommerce.

PCI DSS 4.0 accepts domain validated (DV) certificates, provided they use strong encryption algorithms (such as SHA-256) and are properly maintained. At Kinsta, SSL certificates — including wildcard support — are automatically issued through our free Cloudflare integration, ensuring secure and compliant HTTPS connections by default. For added assurance or organizational requirements, you may also choose to install a custom EV (Extended Validation) or OV (Organization Validated) certificate.

Make sure to read our TLS vs SSL guide.

3. Process payments via third-party provider

One of the easiest ways to potentially simplify PCI compliance is to process your credit card transactions via a third-party provider. You can easily hook up your WooCommerce or Easy Digital Downloads store with a payment gateway, such as Stripe or PayPal. You should still look through their PCI compliance guidelines though as simply processing credit cards off-site doesn’t always guarantee compliance. There may be additional steps required.

4. Implement a firewall

PCI DSS requires that systems handling cardholder data are protected by properly configured firewalls to control traffic and block unauthorized access. At Kinsta, every site benefits from two layers of firewall protection:

  • Google Cloud Platform’s network-level firewall blocks malicious traffic before it ever reaches your hosting environment.
  • Cloudflare’s edge firewall is included as part of Kinsta’s free Cloudflare integration, providing additional protection at the DNS and application layer, including smart traffic filtering and DDoS mitigation.

This dual-layer approach offers strong default protection against common threats, including unauthorized access attempts and malicious bots.

If your PCI auditor or security team requires additional customization, you can also integrate a third-party web application firewall (WAF) like Sucuri or standalone Cloudflare plans with custom rules.

5. Perform regular security testing

PCI DSS 4.0 includes specific requirements around ongoing security testing. This includes vulnerability scanning, penetration testing, and file integrity monitoring to detect and address potential security threats before they become issues.

At Kinsta, we protect your environment with features like DDoS mitigation, malware scanning, hardware firewalls, and other infrastructure-level safeguards. However, you are responsible for testing the application layer — including your WordPress site, plugins, themes, and any custom code.

Beyond ASV scans, we also recommend regular internal testing to reduce risk and stay ahead of compliance checks:

  • Use a vulnerability scanner to detect outdated or insecure plugins and themes
  • Schedule periodic penetration tests, especially if you handle payment data directly
  • Enable file change monitoring using a WordPress security plugin

Some payment processors or third-party security firms may also provide tools to help meet these testing requirements as part of your PCI compliance process.

6. Multi-factor authentication

Multi-factor authentication (MFA) is a security method that requires users to provide two or more types of credentials before gaining access — typically a combination of something you know (like a password) and something you have (like a code from an authenticator app on your phone).

This is commonly referred to as two-factor authentication (2FA), which is a specific form of MFA that uses exactly two factors. While the terms are often used interchangeably, PCI DSS 4.0 now uses the broader term MFA and expands the situations where it’s required.

Under PCI DSS 4.0, MFA is mandatory for:

  • All access to the cardholder data environment (CDE)
  • All remote access to systems that handle payment data
  • Any administrative access to payment processing systems

At Kinsta, you can enable MFA to help secure both your MyKinsta dashboard and your WordPress admin area. We strongly recommend enabling it in both places to reduce the risk of unauthorized access.

7. Data center security

Kinsta uses Google Cloud Platform which utilizes state of the art security across its data centers: safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.

Their data centers are monitored 24/7 by high-resolution cameras and patrolled by security guards who have gone through rigorous background checks. Every action and activity is logged and recorded in case an incident occurs.

All data is encrypted in transit and at rest between Google, the customers, and data centers; as well as the data in all of the Cloud Platform services. The data stored on persistent disks is encrypted under 256-bit AES and each encryption key is also encrypted with a set of regularly changed master keys.

GCP’s Compute Engine service undergoes regular compliance assessments by independent Qualified Security Assessors and currently maintains PCI DSS 4.0 compliance for its infrastructure services. However, this doesn’t mean you’re automatically PCI compliant. Everything we’ve mentioned above still applies, as you’re the one ultimately responsible for ensuring your site is PCI compliant.

GCP’s PCI Attestation of Compliance and SOC 2 reports are not publicly available. These documents are only available directly from GCP after entering into a non-disclosure agreement. As a result, if you need access to these documents you must develop a relationship directly with GCP to request these documents.

Read more about Google Cloud Platform’s security.

Kinsta is SOC 2 compliant. You can find out more on our SOC 2 compliance page, or visit our Trust Report page.