Multi-Tenant Service Provider PCI Basics

What is a Multi-Tenant Service Provider?

In version 3.2.1, PCI DSS referred to “Shared Hosting Providers” in Appendix A1. But in version 4.0, the term has changed and with it, the definition has become much broader. PCI DSS defines a Multi-Tenant Service Provider as follows:

“A type of third-party service provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including SaaS), and/or databases.” p. 298, PCI DSS v4.0 

Examples of services include but are not limited to:

  • Hosting multiple entities on a shared server
  • Providing e-commerce and/or “shopping cart” services
  • Web-based hosting services
  • Payment applications
  • Various cloud applications
  • Connections to payment gateways and processors

What’s not included and is not considered a multi-tenant service provider is co-location (co-lo) services where it is just renting equipment, space, or bandwidth. 

What Does This Mean If You’re A Merchant or Service Provider Using a Multi-Tenant Service Provider?

This means that when you get their Attestation of Compliance (AoC) that you need to make sure that they have completed Appendix A1 as part of their scope and that the service you use has been included in the scope. Your service provider should be providing evidence of the compliance status of each of their services under their Req. 12.9 requirements.


What’s Different for Multi-Tenant Service Providers?

Multi-tenant service providers have another 7 requirements on top of the service provider requirements that they have to comply with. These broadly cover:

  • Ensuring customer environments are segmented and testing this segmentation every 6 months
  • Managing access to customer environments
  • Managing access to only those resources allocated to them
  • Supporting logging for their customers
  • Having a process to support forensic investigations if there is an actual or suspected security incident
  • Having a process to support customers reporting security incidents and a process to respond to and remediate findings

At the heart of it, the focus is on ensuring that customers cannot see another customer’s data and that there is a robust process for responding to security incidents which may have a greater impact because of the shared nature of the service.