PCI Compliant Hosting: What It Requires and How to Choose in 2026
Last updated: June 11, 2026
PCI compliant hosting is server or cloud infrastructure that is set up, documented, and contracted to meet the Payment Card Industry Data Security Standard (PCI DSS) for any system that stores, processes, or transmits payment card data. The host secures the part of the environment it controls, such as the network, firewalls, and physical data center. You secure the rest, including your application, your user accounts, and how cardholder data moves through your site. Neither side can reach PCI compliance alone, and the standard makes that split clear.
TL;DR: Quick answer
PCI compliant hosting means the infrastructure is built to meet PCI DSS, the security standard set by the PCI Security Standards Council (PCI SSC). The current version is PCI DSS v4.0.1.
PCI DSS has 12 core requirements grouped into 6 goals, covering firewalls, encryption, access control, monitoring, and testing.
PCI DSS is enforced by the card brands (Visa, Mastercard, American Express, Discover, JCB), not by the government. Penalties flow through your bank, called the acquirer.
Hosting is a shared job. The provider proves its piece with an Attestation of Compliance (AOC); you still complete your own Self-Assessment Questionnaire (SAQ) or audit.
Many healthcare websites take card payments and collect health data, so they need both PCI compliant hosting and HIPAA-compliant hosting at the same time.
What is PCI compliant hosting?
PCI DSS is a security standard, not a law. The major card brands created the PCI Security Standards Council to write one shared rulebook for protecting card data. Any business that accepts cards agrees to follow it through its merchant contract. When your website handles card numbers on servers you rent, the hosting provider controls part of that system, so the host's setup becomes part of your PCI scope.
"PCI compliant hosting" is the shorthand for a provider that builds and runs its infrastructure to PCI DSS and can prove it. The proof matters. A host that simply calls itself "secure" has told you nothing you can verify. The real question is whether the provider can hand you a current Attestation of Compliance and a clear list of which requirements it covers for you. This mirrors how compliance works across every framework; for the wider picture, see our guide to what compliant hosting services actually are.
Who needs PCI compliant hosting?
You need it if your business stores, processes, or transmits cardholder data. That includes online stores, membership sites, donation pages, and service businesses that bill clients by card. The rule does not care how many cards you handle; even one card payment puts you in scope.
Healthcare is a common and tricky case. A medical, dental, or therapy practice often takes copays and balances online while also collecting health details. That means two standards apply at once: PCI DSS for the card data and HIPAA for the health data. The two protect different information and are enforced by different groups, so meeting one does not cover the other. If that describes your practice, start with our breakdown of who needs HIPAA-compliant hosting, then layer PCI on top.
The cleanest way to lower your PCI burden is to never touch the card number at all. When you use a hosted payment page or a tokenized checkout from a provider like Stripe or Square, the card data goes straight to them, and your servers only see a token. You still have PCI duties, but a smaller and simpler set.
What must a PCI hosting provider give you?
PCI DSS lists 12 requirements. A hosting provider can satisfy some of them for you, share others, and leave the rest in your hands. A genuine PCI host should deliver:
Network security. Firewalls and network rules that wall off the cardholder data environment (the CDE) from the rest of the network (PCI DSS Requirement 1).
Strong encryption. Encryption of card data at rest, and TLS 1.2 or higher for card data in transit (Requirements 3 and 4).
Patching and anti-malware. Regular updates to the operating system and server software, plus malware protection (Requirements 5 and 6).
Access control. Unique logins, least-privilege access, and multi-factor authentication for administrative access (Requirements 7, 8, and 9).
Logging and monitoring. Records of who accessed what and when, kept and reviewed (Requirement 10).
Vulnerability scanning. Quarterly scans by an Approved Scanning Vendor (ASV) and regular testing (Requirement 11).
The provider proves this work with an Attestation of Compliance and, for larger providers, a Report on Compliance from a Qualified Security Assessor. Ask for the current document before you sign, and read which requirements it actually covers.
Who is responsible for what?
Every hosting setup splits PCI DSS between the provider and you. A typical split for managed PCI hosting looks like this:
Area | Host's side | Your side |
|---|---|---|
Network and firewalls | Configures and maintains firewalls and segmentation | Defines which traffic your app needs; no risky open ports |
Encryption | Encrypted storage and TLS termination | Not storing full card numbers; using tokenization where possible |
Access control | Server and platform access, MFA on admin logins | Your app's user roles and removing access when staff leave |
Logging | Server and network logs, retention | Reviewing application logs and investigating odd activity |
Scanning and testing | Infrastructure ASV scans | Scanning your own application and fixing its findings |
Your paperwork | Provides its AOC as evidence | Completes your SAQ or audit, signed by your team |
The biggest mistake buyers make is assuming the host's AOC makes them compliant. It does not. It only proves the host's layer. You still own your application and your own attestation. Ask any provider for a written responsibility matrix that maps each of the 12 requirements to a side.
How do PCI compliance levels work?
PCI DSS sorts merchants into four levels based on how many card transactions they handle each year. Higher volume means stricter proof.
Level 1: Over 6 million transactions a year. Requires a yearly on-site audit and a Report on Compliance.
Level 2: 1 to 6 million a year. Usually a yearly Self-Assessment Questionnaire, sometimes an audit.
Level 3: 20,000 to 1 million e-commerce transactions a year. A yearly SAQ and quarterly ASV scans.
Level 4: Under 20,000 e-commerce transactions, or up to 1 million total. A yearly SAQ and quarterly scans.
Most small clinics and small businesses are Level 4. The exact thresholds vary slightly by card brand, so confirm your level with your acquiring bank.
PCI and HIPAA together: when you need both
This is where healthcare websites get caught off guard. PCI DSS protects card data. HIPAA protects health data through the Security Rule and a signed Business Associate Agreement (BAA). They overlap in good security habits like encryption and access control, but they are separate obligations with separate proof. A host can meet one, both, or neither.
If your site books appointments, stores intake details, and takes card payments, you need a hosting setup that satisfies both at once. The good news is that the controls reinforce each other. Strong encryption, tight access, and reviewed logs serve PCI and HIPAA alike. Our guide to HIPAA hosting security measures walks through those shared controls in plain terms, and many of the same settings satisfy PCI DSS too.
How do you choose a PCI hosting provider?
Ask for the AOC. A current Attestation of Compliance, not a vague "we are PCI compliant" line on a sales page.
Get a responsibility matrix. A written map of which of the 12 requirements the host covers and which stay yours.
Confirm ASV scanning. Make sure quarterly scans are part of the plan and you know who fixes what they find.
Check segmentation. Strong isolation between your environment and other customers keeps your PCI scope small.
Match your other needs. If you also handle health data, pick a provider that signs a BAA and runs managed HIPAA cloud hosting so one environment can carry both standards.
If you would rather not build it yourself
PCI and HIPAA both reward careful setup and steady upkeep, and both punish guesswork. If your team would rather serve patients and ship product than tune firewalls and chase scan results, a managed host can run that layer for you. At HIPAA Compliant Hosting, we build single-tenant environments that arrive hardened with encryption, a web application firewall, monitoring, encrypted backups, and a signed BAA, and we work with the payment setups our healthcare clients already use. We sell managed hosting, so treat that as a disclosure, not a neutral opinion. We also think a team that understands its own PCI scope makes smarter choices, whoever runs the servers. If you want a straight answer about what your site actually needs, tell us what you are building.
Frequently asked questions
What is PCI compliant hosting?
Hosting infrastructure that is built, documented, and contracted to meet PCI DSS for systems that handle payment card data. The host secures its layer and proves it with an Attestation of Compliance; you secure your application and complete your own assessment.
Is PCI compliant hosting the same as HIPAA hosting?
No. PCI DSS protects payment card data and is enforced by the card brands. HIPAA protects health data and requires a BAA under 45 CFR § 164.308(b). A host can meet one, both, or neither, so confirm each one separately.
Does the host make my whole business PCI compliant?
No. A host's compliance covers its infrastructure only. You remain responsible for your application, your card data handling, your user access, and your own SAQ or audit.
Can I lower my PCI requirements?
Yes. Using a hosted payment page or tokenized checkout keeps the raw card number off your servers, which shrinks your scope and usually moves you to a simpler Self-Assessment Questionnaire.
Is there an official PCI certification for hosts?
Providers prove compliance through an Attestation of Compliance and, for larger ones, a Report on Compliance from a Qualified Security Assessor. There is no single government certificate; PCI DSS is enforced through card brand contracts.
Where to go from here
Find out which card data your site touches, then decide whether you can hand payments to a tokenized checkout to shrink your scope. If you also handle health data, plan for PCI and HIPAA together from the start. Our complete guide to HIPAA-compliant hosting covers the health-data side, and our 2026 hosting cost guide shows what a compliant environment usually costs.
This article is general information, not legal or compliance advice. PCI DSS obligations depend on your merchant level, your card brands, and your acquiring bank; confirm your specific requirements with a Qualified Security Assessor or your acquirer. Reviewed June 2026.
Sources
PCI Security Standards Council: Official PCI SSC site
PCI SSC Document Library (PCI DSS v4.0.1): pcisecuritystandards.org
45 CFR Part 164, Subpart C (HIPAA Security Rule): ecfr.gov