Quote:
|
Originally Posted by Steel
Just so I understand what you are saying, only in the event that you physically host your own server will you be able to avoid the SAQ "tar pit". If someone hosts this server for you, then they will be considered a service provider, and in scope, and in the "tar pit"?
|
Yes, your host is in the tar pit as service providers are only eligible for SAQ D. But that only applies to the services they provide. What you do in your domain on a shared host falls under your PCI assessment which would still be SAQ C. As part of your processes required by SAQ C you must monitor your hosts PCI-DSS compliance. This can mean either your host doing their own PCI-DSS assessment and giving you a copy or you asking them questions to establish their PCI compliance as part of your annual filling out of your SAQ. If you're hosting with a quality host then they shouldn't have a problem with meeting the PCI-DSS requirements.