PCI DSS Compliant Hosting

The most effective way to reduce PCI scope is network segmentation. We isolate the Cardholder Data Environment (CDE) in a dedicated VPC or subnet with strict security group rules. Only the payment processing service has access to cardholder data. Application servers communicate with the CDE through a tokenization layer — they never see raw card numbers. Every network flow is documented in a data flow diagram for your QSA.

PCI DSS requires encryption of cardholder data at rest and in transit. We implement AES-256 encryption via KMS with customer-managed keys, TLS 1.2+ for all data transmission, and database-level transparent data encryption. Key management follows PCI requirements: dual control, split knowledge, annual key rotation, and documented key custody procedures. Encryption configurations are enforced via infrastructure policies — no opt-out possible.

PCI Requirement 10 mandates comprehensive logging. We configure audit logging for: all access to cardholder data, all actions by privileged users, all authentication events, all changes to security controls, and all system-level events. Logs include user ID, event type, timestamp, source IP, and success/failure. Centralized log management with 12-month retention (3 months immediately accessible). Daily log review is automated with anomaly detection rules.

PCI requires quarterly vulnerability scans by an ASV (Approved Scanning Vendor) and annual penetration testing. We implement continuous internal scanning with Trivy, Nessus, or Qualys that runs weekly. Scan results are tracked in a vulnerability management system with SLA-based remediation: critical within 24 hours, high within 7 days, medium within 30 days. Patch management is automated via CI/CD — container images are rebuilt and redeployed when base image CVEs are published.