We offer PCI compliant hosting on all of our hosting products for clients who do not store or transmit cardholder data. In order to build a PCI compliant ecommerce solution, your site needs to be paired up with a payment gateway partner.
You can host your entire ecommerce site on our hosting products up until the point where the customer provides credit card information during checkout. When a customer purchases items from your site, you'll utilize the API with your payment gateway partner to provide a transaction ID and dollar amount to authorize.
The customer will then connect directly to the card processing system on a new session and input their payment information. After the processing system validates the transaction, it will return either an authorized or failed message. The failure messages can contain details such as insufficient funds, invalid card number, or failed to complete transaction.
The communication from the card processing system to your ecommerce system can never contain cardholder data. This includes the primary account number, expiration date, the name as it appears on the card, and CVV number.
Your ecommerce application's database can store such information to uniquely identify the transaction with your payment gateway partner's processing system, such as transaction ID, customer name, dollar amount of the transaction, timestamp of the transaction, and return status of the payment request.
Integrating A Payment Gateway
The Server Integration Method (SIM) API is the proper API that we recommend when using the "card not present" payment method.
Sample code for PHP and other languages using the SIM API can be found here.
You can also sign up for a free test account to try the API out. Credit card numbers for testing transactions are included in the instructions emailed to you after you sign up.
Why This Works
By designing your ecommerce site in this manner, PCI compliance is reduced to a Type A Self-Assessment Questionnaire (SAQ) for merchants processing less than 6,000,000 annual transactions.
To achieve compliance when all cardholder data is handled by a partner, you only need to address two of the twelve sections of the complete PCI-DSS, and only a subset of the controls in each of those sections (specifically sections 9 and 12).
The current version of the Type A SAQ can be found here.
PCI Vulnerability Scans
A portion of PCI compliance is the external vulnerability scan using an Approved Scanning Vendor (ASV). A list of ASV's is available here. Your payment partner or acquiring bank may have a preferred partner to work with, so ensure their recommended partner appears on the ASV list.
After you've selected your scanning vendor, you'll provide the systems to perform the scan your domain. After the scan completes, it will provide you with a passing grade or list of open issues that need to be resolved.
When scanning our hosting environments, the scanning tool will detect software version issues against the OS or application stack (such as MySQL, PHP, and SSH).