AIS Network
Main Menu
CALL US TODAY
Linkedin Facebook X-twitter Instagram Youtube
CONTACT US
PCI DSS Requirements 1 and 2

Understanding PCI DSS Requirements 1 and 2: A Guide for Shared Hosting Providers

by

If you’re a shared hosting provider or a business using shared hosting, understanding the Payment Card Industry Data Security Standard (PCI DSS) requirements for shared hosting providers is vital to maintaining compliance and protecting sensitive data.

In this guide, we’ll summarize insights on PCI Data Security Standard Requirements 1 and 2 and common compliance gaps.

PCI DSS Requirements 1 and 2

Why PCI Scoping Matters

One of the most common and serious compliance issues is poor or nonexistent PCI scoping. A flat network with no segmentation between the cardholder data environment (CDE) and the rest of the network can lead to security vulnerabilities. A clear data flow diagram is essential for defining scope and identifying needs for logical segmentation.

Pro Tip: Any system connected to the CDE—applications, domain controllers, third-party SaaS, and service providers—is in scope and should also be PCI-compliant.

Clarifying "No Access" and Role-Based Controls

In PCI terms, no access means “not in-scope of the assessment.” This brings up the need for access control procedures and having a data control policy that documents and defines those procedures, while restricting access to cardholder data by business need-to-know. You can implement policies based on the principle of least privilege, using role-based access and formal approval workflows.

Common Gaps in Requirement 1: Firewall Configurations

Requirement 1 focuses on installing and maintaining firewall configurations to protect cardholder data. Common gaps include:

  • Missing or inadequate documentation
  • No detailed data flow diagrams
  • Mismanaging scope

If a third party manages your firewall, they must be PCI compliant and provide clearly documented descriptions of groups, roles, and responsibilities for managing network components. Requirement 1.1.5 states that all duties need to be formally defined and documented, and if they’re not, you’re not PCI compliant.

Understanding Untrusted Networks and Wireless In-Scope Scenarios

Your internet connection and DMZ are considered untrusted networks; cardholder data should never reside here (e.g., web servers, DNS servers, or email servers). Wireless networks used to manage your CDE are also in scope and must meet specific requirements (e.g., encryption, secure configuration, segmentation).

Programmers working together.

Other Requirement 1 FAQs

Q: My firewalls are managed by an outside IT consultant. What requirements relate to their aspect of our environment?

Service providers may often push back because they don’t think they’re directly involved in the storing, transmitting, or processing of cardholder data. If a company manages your firewall, they must be PCI compliant. They should provide you with an attestation stating they are compliant with the PCI standard. Service providers must provide written acknowledgment of maintaining applicable PCI DSS requirements.

Q: I’m using wireless networks but only to administer my CDE. Are those networks in scope?

Yes, all wireless requirements apply. For example:

  • 1.1.2 – should be on network diagram
  • 1.2.3 – a firewall between wireless networks and the CDE
  • 2.2.1 – secure wireless configurations
  • 4.1.1 – strong encryption for authentication and transmission
  • 11.1 – ongoing testing for unmanaged wireless threats

Q: What does the DSS mean by “public access”?

The DSS is trying to avoid direct contact with system components. This means that if your device has a publicly accessible IP address, then anyone on the internet can communicate directly with that device.

Q: If a client has Outlook Web Access enabled for Exchange, and they use NAT on the firewall to make it available to access their account from the Internet, does this break requirements 1.3.1 and 1.3.2?

You must isolate the CDE from the Exchange server in your DMZ or you’re not compliant. If the Exchange server is officially isolated so it can’t impact the security—in any way—of your CDE, you’re okay. This is where the firewall would come into play to segment the DMZ from the rest of the network.

Q: What does PCI mean by “unauthorized outbound traffic” in requirement 1.3.5?

According to the standard, all inbound and outbound traffic must be accounted for. Requirement 1.1.6 requires documenting all services, protocols, and ports that are required for the CDE to operate correctly. Firewall configurations should only allow traffic that is specifically authorized, and this applies in both directions.

In our experience, this is one of the biggest challenges with having an overly expansive scope. These controls are often so restrictive that employees are negatively impacted when we apply the DSS to wide swaths of the business. We encourage all of our customers to take a good look at how they might be able to reduce their PCI scope and segment their network as much as possible.

Q: What methods do most companies use to obscure private/internal IP addresses?

Use of network address translation/IP masquerading is a simple method in which the source and/or destination addresses of IP packets are rewritten as they pass through a router or a firewall.

Q: Do you have any comments regarding documentation? Policies and procedures seem to be a big deal in the DSS.

The phrase “known to all affected parties” is found throughout the PCI requirements. The idea is that policies and procedures need to be documented and disseminated to all appropriate personnel. This applies to all security policies and procedures.

Requirement 2: Secure System Configurations and Vendor Defaults

Requirement 2 addresses secure system configurations and avoiding default credentials. Systems often missed in this requirement include POS terminals, operating systems, and applications. It’s crucial to change both default passwords and user IDs.

Accepted system hardening standards include those from NIST, SANS, and CIS (Center for Internet Security).

Key Challenges for Shared Hosting Providers

PCI DSS Appendix A outlines additional requirements for shared hosting providers. The main challenge is ensuring complete separation and protection of each client’s environment. A compliant shared hosting provider should already have a valid PCI Report on Compliance (RoC), simplifying the compliance process for clients.

Final Thoughts on Documentation and Asset Management

Effective compliance isn’t just about policies—it’s about making sure those policies are known and operationalized across your team. Key components of asset inventories should include:

  • Host name
  • Primary device function description
  • Hardware model
  • Software components

Strong asset management and comprehensive documentation are essential to proving compliance during audits.

Need Help With PCI DSS Compliance?

Have more questions about PCI DSS requirements for shared hosting providers? Looking for a PCI-compliant hosting provider? Contact our team today.