If your website accepts card payments, the Payment Card Industry Data Security Standard (PCI DSS) applies to you. Meeting these requirements protects your customers’ payment data and keeps you able to process card transactions.
This article explains what PCI compliance means in a shared hosting context, what your hosting provider covers and what you remain responsible for at the application level.
Before you begin
- PCI DSS requirements are set by the PCI Security Standards Council. Review their documentation for the full standard.
- If you are unsure whether your site is in scope, consult a Qualified Security Assessor (QSA) or your payment processor.
- GDPR and PCI DSS are separate obligations. Meeting one does not satisfy the other.
What PCI compliance covers
PCI DSS is a set of security standards that apply to any business that stores, processes or transmits cardholder data. Non-compliance can result in fines, data breaches and the loss of your ability to accept card payments.
Your PCI scope depends on how card data flows through your site. Using a third-party payment processor such as Stripe via a WooCommerce plugin can prevent card data from ever reaching your server. This reduces your scope significantly, but does not remove your compliance obligations entirely. You still need to meet PCI DSS requirements at a lower validation level.
What your hosting infrastructure covers
Hosting infrastructure that is PCI-compliant at the server level meets PCI DSS requirements for the underlying environment. This includes enforced encryption for file transfers and email connections. The table below shows how a PCI-compliant server differs from a standard server.
- File transfers (FTP): Standard servers permit unencrypted connections. PCI-compliant servers require TLS encryption for all file transfers. Plaintext FTP is disabled.
- Email (Dovecot): Standard servers may allow older protocol versions. PCI-compliant servers enforce TLS 1.2 or higher and block weak or deprecated cipher configurations.
If your FTP client stops connecting after a move to a PCI-compliant server, it is likely because plaintext logins have been disabled. Switch your client to use FTPS (FTP over TLS) or SFTP (SSH File Transfer Protocol). Most modern FTP clients support both. Update your connection type in your client’s settings and reconnect using the same credentials.
Your responsibilities at the application level
A PCI-compliant hosting environment reduces your scope but does not make your website PCI compliant on its own. You remain responsible for security at the application and site level. This includes:
- Quarterly vulnerability scans carried out by an Approved Scanning Vendor (ASV)
- Secure coding practices and access controls within your application
- Reviewing scan results, fixing confirmed vulnerabilities and disputing false positives
ASV scans may flag Common Vulnerabilities and Exposures (CVEs) that do not apply to your actual configuration. These are known as false positives. To dispute one, gather supporting evidence such as configuration files, response headers or software version details, then submit this to your ASV for review.
Troubleshooting
FTP client fails to connect
Plaintext FTP is disabled on PCI-compliant servers because it transmits credentials without encryption, which violates PCI DSS requirements.
- Open your FTP client’s connection settings and change the protocol to FTPS or SFTP.
- Confirm your client supports TLS. FileZilla, Cyberduck and WinSCP all support FTPS and SFTP.
- If you are using a legacy client that does not support encrypted connections, replace it with a current alternative.
ASV scan reports unexpected vulnerabilities
Scanners have limited visibility into server configurations and may flag issues that do not reflect your actual setup. These false positives are common and can be disputed.
- Review each flagged item against your actual server configuration before treating it as a confirmed vulnerability.
- Collect evidence such as TLS configuration output, software version strings or HTTP response headers.
- Submit your evidence to your ASV with a clear explanation of why the finding does not apply.
- If you need help identifying false positives related to your hosting environment, open a support ticket with the scan results attached.
Wrapping up
PCI DSS compliance applies at two levels: the hosting infrastructure and your application. A PCI-compliant server addresses the infrastructure layer, enforcing encrypted connections for file transfers and email. Your site’s code, access controls and quarterly ASV scans remain your responsibility.
For related security topics, see our guides on installing a Let’s Encrypt SSL certificate, securing your VPS and installing an SSL certificate. You may also find the website security guide on our blog useful for broader application-level hardening. Our secure hosting plans are built with compliance requirements in mind.
Ready to get started?
Launch your website with our reliable cPanel hosting with unlimited bandwidth and expert support.
Get cPanel Hosting