What is PCI compliance?
PCI compliance is adhering to security standards set by the Payment Card Industry (PCI) Security Standards Council to protect cardholder data. The PCI council is responsible for managing the security standards, but compliance with it is enforced by major payment card brands such as Visa® and Discover®. You can learn more about the standards by visiting the PCI Security Standards page on the PCI website.
Who needs to be PCI compliant?
If you accept or process payment cards, the PCI standards apply to you. PCI applies to any organization, regardless of their size or volume of transactions, if they store, process or transmit cardholder data. You can find out about your exact compliance requirements from your payment card brand or acquirer.
How do I become PCI compliant?
You should contact your payment card brand to determine the PCI compliance requirements required for your organization. Each card issuer defines their own compliance levels, which will determine what type of validation your entity will need to perform.
For example, Visa defines levels of compliance validation from Level 1 to Level 4 based on the volume of transactions and various risk factors such as prior data breaches.
- Level 1 merchants require the highest form of validation. If you are a Level 1 merchant, you must have a Qualified Security Assessor (QSA) complete an annual onsite assessment and file a Report on Compliance (ROC). A list of approved QSA companies is available on the PCI Security Standards Council website.
- Level 2 - Level 4 merchants must complete a PCI DSS Self-Assessment Questionnaire (SAQ) and report on their compliance annually. They are also required to perform quarterly Approved Scanning Vendor (ASV) scans.
- For more information on Visa's PCI compliance validation process, see Visa's Merchant website.
What GoDaddy products are PCI compliant?
At this time, the only GoDaddy products that offer PCI compliance are Online Store, Quick Shopping Cart, Online Bookkeeping and Online Appointments. We go through an annual audit performed by a Qualified Security Assessor (QSA) to confirm that all PCI requirements are met for each of the product environments. Assessment activities focus on our public-facing Web servers, back-end processing systems, cardholder storage database, administrative bastion hosts, supporting infrastructure, and firewalls.
Note: If you use our PCI compliant products, you still need to complete a PCI DSS Self-Assessment Questionnaire (SAQ) and report PCI compliance based on your merchant level if your payment card brand requests it. For more information, you can refer to the SAQ Instructions and Guidelines provided by the PCI council.
Do I need to have my product site scanned because my merchant processor says I do?
No. If you are using one of our PCI compliant products, you do not need to have third party ASV scans performed. To satisfy scanning requirements, you can refer to our status as a PCI DSS validated service provider on the Visa Service Provider website.
We complete the following activities to achieve compliance as a Level 1 PCI Service Provider:
- The environment is scanned quarterly by an ASV for Online Store, Quick Shopping Cart, Online Bookkeeping and Online Appointments.
- An annual audit is performed by a Qualified Security Assessor (QSA) to confirm that all PCI requirements are met, including performance of scans by an ASV.
- The QSA submits the report on compliance for Online Store, Quick Shopping Cart, Online Bookkeeping and Online Appointments to Visa. Visa reviews the report and confirms our status as a PCI DSS validated service provider.
Is Shared, Dedicated, or Virtual Private Server PCI compliant?
No. Currently Shared, Dedicated, or Virtual Private Servers are not in the scope of our PCI compliance.
What about password requirements?
GoDaddy has you covered. All PCI-DSS password requirements are configured for you by GoDaddy. Make sure to look out for emails notifying you when your password expires and needs to be changed. Additionally, if you ever feel your account may have been compromised, GoDaddy recommends changing your password immediately.