We frequently get asked if Kinsta offers PCI compliant hosting and so today we’ll dive into this topic. Many don’t realize that every eCommerce store that processes, stores, or transmits credit card data is required to be PCI compliant, regardless of their annual sales volume. So it’s important to take some time and better understand PCI compliance and how it impacts your business.
What is PCI?
The term PCI stands for “Payment Card Industry.” You’ll often hear this associated with PCI DSS which is the Payment Card Industry Data Security Standard. Basically, it’s a set of security standards for all companies that accept, store, and transmit credit card data. This was designed to protect consumer’s data and ensure that credit card data is processed in a secure environment.
Companies such as American Express, Discover, JCB International, MasterCard, and Visa all have their own compliance programs but are governed by the security standards set in place by the PCI Security Standards Council (of which they are founding members).
Does Kinsta Offer PCI Compliant Hosting?
It’s important to understand that just because a host might be PCI compliant, that doesn’t automatically mean you’re compliant if you host your website with them. The reason is that the bulk of the responsibility for ensuring security still falls on you as the website owner. For example, if you’re running a WooCommerce store, you are the one ultimately responsible for handling customers data, processing credit cards, storing and authenticating login information, and maintaining the code of your site.
Kinsta does not guarantee PCI compliance, and we are not able to audit your site to verify that you’re doing things right either. However, that doesn’t mean you can’t be PCI compliant when hosting your website with us. In fact, we have many clients who have worked with third-party auditors to pass PCI compliance scans. In many of these cases, we’ve had to make a few minor adjustments upon request, but these clients have been able to pass the audit just fine after a little fine-tuning on both our end and theirs.
While we do not get directly involved in the audit process, as this is the responsibility of the website owner, we can make specific adjustments upon request.
How to Be Compliant
Here are a few best practices to ensure you’re compliant at Kinsta:
1. PCI Self-Assessment Questionnaire
Fill out a Self-Assessment Questionnaire (SAQ) annually to help you determine if your payment processing setup is PCI compliant.
2. TLS and HTTPS
Serve your payment pages securely using a modern version of TLS (1.2 or higher) so that your website makes use of HTTPS (encrypted connections). Kinsta always keeps TLS versions up to date on our servers and you can easily install an SSL certificate from your MyKinsta dashboard.
Note: PCI (payment card industry) standards currently accept domain validated (DV) certificates, which means free Let’s Encrypt certificates can be used. However, these rules could also change in the future. If you aren’t comfortable with this, or an auditor recommends against it, you can always install a custom SSL certificate. This provides additional protection as well, such as a warranty in case of a data breach.
3. Process Payments via Third-Party Provider
One of the easiest ways to potentially simplify PCI compliance is to process your credit card transactions via a third-party provider. You can easily hook up your WooCommerce or Easy Digital Downloads store with a payment gateway, such as Stripe or PayPal. You should still look through their PCI compliance guidelines though as simply processing credit cards off-site doesn’t always guarantee compliance. There may be additional steps required.
4. Implement a Firewall
Another recommendation is to establish and implement a firewall to help filter unwanted traffic. We have hardware firewalls, active and passive security, and other advanced features already in place to prevent access to your data. However, you can also implement a third-party web application firewall (WAF) such as Sucuri or Cloudflare for additional protection.
5. Two-Factor Authentication
Two-factor authentication involves a two-step process in which you need not only your password to login but a second method. Enabling two-factor authentication can help prevent unauthorized access to both your host’s control panel and your WordPress site.
Enable two-factor authentication in MyKinsta
6. Data Center Security
Kinsta uses Google Cloud Platform which utilizes state of the security across its data centers: safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.
Their data centers are monitored 24×7 by high-resolution cameras and patrolled by security guards who have gone through rigorous background checks. Every action and activity is logged and recorded in case an incident occurs.
All data is encrypted in transit between Google, the customers, and data centers; as well as the data in all of the Cloud Platform services. The data stored on persistent disks is encrypted under 256-bit AES and each encryption key is also encrypted with a set of regularly changed master keys.
GCP’s Compute Engine service has been reviewed by an independent Qualified Security Assessor and determined to be PCI DSS 3.2 compliant. However, that doesn’t mean you’re automatically PCI compliant. Everything we’ve mentioned above still applies, as you’re the one ultimately responsible for ensuring you’re site is PCI compliant.
GCP’s PCI Attestation of Compliance and SOC 2 reports are not publicly available. These documents are only available directly from GCP after entering into a non-disclosure agreement. As a result, if you need access to these documents you must develop a relationship directly with GCP to request these documents.
Read more about Google Cloud Platform’s security.
Note: The above information is being provided to help assist you in questions pertaining to PCI compliance. However, we’re not responsible for assessing your compliance. This should always be handled by a third-party auditor.