Understanding PCI Compliance (Firstserv Guide)
What is PCI Compliance?
PCI compliance refers to meeting the Payment Card Industry Data Security Standard (PCI DSS)—a set of security requirements designed to protect cardholder data.
Any organisation that stores, processes, or transmits payment card information must comply with these standards.
Does PCI Compliance Apply to You?
If you run an online store that accepts card payments, your website and hosting environment are typically within PCI scope—unless:
- ✅ All payment processing is fully handled by a third-party PCI-compliant provider (e.g. Stripe, PayPal)
Using Third-Party Payment Providers
Using providers like Stripe (via platforms such as WooCommerce) can:
- Ensure card data never touches your server
- Significantly reduce your PCI scope
⚠️ However:
- You are still required to maintain some level of PCI compliance
- Other regulations (e.g. GDPR) still apply independently
Firstserv PCI-Compliant Hosting
Firstserv Business / Premium hosting platforms are:
- ✅ Regularly security scanned
- ✅ Maintained to meet PCI DSS standards at the infrastructure level
This ensures the underlying hosting environment is compliant.
Your Responsibilities
Even when using PCI-compliant hosting, you remain responsible for application-level compliance, including:
- Website security configuration
- Plugin/theme security
- Data handling practices
PCI Scanning Requirements
To maintain compliance, you will typically need to:
- Run quarterly security scans
- Use an Approved Scanning Vendor (ASV)
Scan Results
Your scan may report:
- ✅ Genuine vulnerabilities (must be fixed)
- ⚠️ False positives (must be reviewed and disputed)
👉 Scanners sometimes rely on limited visibility or version-based checks, which can lead to inaccurate findings.
Handling Scan Results
To pass a PCI scan:
- ✅ Review all reported issues
- ✅ Fix confirmed vulnerabilities
- ✅ Identify and document false positives
- ✅ Submit evidence to your PCI provider
Common Questions
What’s the difference between standard and PCI-compliant hosting?
PCI-compliant hosting environments are configured and maintained to meet PCI DSS infrastructure requirements, including stricter security controls.
Does using PCI hosting make my site fully compliant?
No. Hosting is only one part of compliance—you are still responsible for your website, applications, and processes.
Do I still need PCI scans?
Yes. Even with compliant hosting, you must run regular ASV scans to validate your environment.
Can I dispute false positives?
Yes. If a scan identifies an issue incorrectly:
- Gather supporting evidence
- Submit it to your scanning provider as a false positive
Can I host non-PCI sites on PCI servers?
Yes. You can host standard websites on PCI-compliant infrastructure, but they are not automatically required to meet PCI standards unless they handle card data.
Summary
- PCI compliance is required for handling cardholder data
- Using third-party payment providers reduces scope, but does not remove obligations
- Firstserv provides PCI-ready infrastructure, but compliance is a shared responsibility
- Regular scans, fixes, and validations are required to maintain compliance
If you need help understanding your PCI requirements or reviewing scan results, the Firstserv support team is available to assist.
WGS AI Assistant