Ok, I have done a search on “Shared Hosting Providers” in the forum to understand what pushes a merchant into 2.4 and the required Appendix A. Lots of good information was found in the search but not the golden arrow I was looking for. Here is my predicament – I have an entity in the organization that contracts with a vendor to run an Internet e-commerce site using the vendor’s payment software hosted/maintained by the vendor. I understand our need to meet 12.8 as the vendor is a service provider in this situation. This is also validated as info passes back to us from this configuration and we hold the merchant number. Since we contract the vendor to run the turnkey Web interface on their machines using their software am I clear of the requirements of 2.4? My take is you must be the owner/controller of the Web application on the outside hosting service to punch the 2.4 ticket. However, I can’t put this in the bank given the long arms of PCI DSS.