We have an eCommerce website hosted by LunarPages. Our site collects credit card numbers and transmits them to SkipJack (credit card processing agent) for processing. We do not store the numbers nor do we transmit any more of the stripe data than the acct no, expiration date and CCV number. We have hired a service to analyze our site for PCI compliance. The report comes back with a few violations, all of which have to do with the LunarPages server configuration.
Question is, who is liable for the non-compliance? Are we (the vendor) or is LunarPages (the ISP)? We are a Level 4 merchant by PCI definition. Actually, the question probably comes down to the defintion of who is transmitting the data. We collect the data through our website, but I believe LunarPages would be defined as the transmitter of that data. Hence, they carry the burden of being PCI compliant and responsible for any non-compliance.
Start Free Trial