I am carrying out research on all that is required by a web hosting provider to become PCI DSS compliant.

My question:
In terms of Visa service provider level definitions, how does a web hosting provider know if it is level 2 or 3, since it is the hosted enties (and not the host) that store/process credit card transactions?

Thanks.

As you correctly point out, as a pure Web hosting provider, you don't know what level your customers are. However, the PCI DSS assumes that all Web hosting entities are a Level 1.

As such, at a minimum, you should be filling out Appendix A of the PCI SAP v1.1 for each of your customers that require compliance with the PCI DSS.

If you are providing any services outside of pure hosting such as managed security, OS patching, network monitoring or anything else covered by the PCI Security Audit Procedures (SAP), then you will have to provide your customers purchasing those additional services with answers to the appropriate sections of the SAP.

I wasn't aware that "PCI DSS assumes that all Web hosting entities are a Level 1". Can you direct me to the source where this is stated? Thanks.

This post (http://pcianswers.com/2006/07/23/gateway-vs-service-provider/) includes Web Hosting company as a Level 2/3 Service Provider example.

This is an interesting observation. Shared Hosting Providers are required to comply with the Appendix in the PCI DSS for their merchants to be compliant. With regard to HOsting companies that provide "ping, power, and pipe" it is a little different animal. Service Providers are either directly identified and categorized by the Card Brands as in the case of TPPs, DSEs, ISOs, VNPs, Gateways etc. or are defined by their merchants.

As an example, say I am a hosting provider. In truth, I don't really care what somebody may put in my cage. If a merchant puts their systems in the cage in my datacenter, then the merchant will consider me a Service Provider and ask that I support their compliance. If I choose not too then the merchant will have to find another hosting provider. If I choose to support their compliance, then there are two ways I can be validated.

If the merchant is a level 1 or if my customer is a level 1/2 SP, then I can either have my facility evaluated as a component of their onsite assessment or I can go through the process of having a QSA evaluate my services and register as a Service Provider with the Card Brands. The second option will allow me to advertise that I am "PCI Compliant" etc. etc.

If my customers are level 2 or lower merchants then their self assessmetn questionnaire should be completed taking into account my services. Altneratively, I can still go through a PCI assessment related to the services I provide so that I can advertise my PCI compliance.

A great hosting company that is PCI compliant is GSI Hosting. Take a look at their site and you will get an idea of services they provide. Remember that only those requirements that apply to the provided services need to be evaluated. If it is not the hosting company that is storing data rather their customers, then the hosting company is not responsible for complying with requiremnet 3.4.

Please let me know if I can clarify any further.