PCI Compliance
PCI compliance means meeting security standards for handling payment card data (cardholder data). These standards are set by the Payment Card Industry Security Standards Council. Compliance is mandatory for any entity that stores, processes, or transmits cardholder data.
If you run an online store that accepts card payments, your site and infrastructure are within PCI scope unless all card processing is fully outsourced to a PCI DSS-compliant provider.
Using third-party processors like Stripe via CMS plugins (e.g. WordPress/WooCommerce) can prevent card data from touching your server, drastically reducing your PCI scope. However, PCI compliance is still required — just at a lower validation level. Other regulations like GDPR apply independently and cover broader privacy concerns beyond payment security.
Krystal’s Premium/Business Tier servers are regularly scanned and certified PCI compliant at the infrastructure level, helping ensure the core hosting environment meets PCI DSS requirements.
However, you are still responsible for compliance at the application/site level. This typically involves quarterly scans by an Approved Scanning Vendor (ASV). These scans may report issues such as Common Vulnerabilities and Exposures (CVEs), including false positives due to limited scanner visibility into server configurations.
To pass a PCI scan, you must review results, fix real vulnerabilities, and dispute false positives with supporting evidence submitted to your scanning provider.
We’ve compiled a list of frequently asked questions to help you find quick answers. If you don’t see what you’re looking for, reach out directly.
What’s different between regular servers and PCI-compliant servers?
FTP (File Transfers): Regular servers let you connect without encryption. PCI servers require encryption (TLS), so your files are always transferred securely.
Email (Dovecot): Regular servers allow older, less secure connections. PCI servers only allow newer, safer versions (TLS 1.2 or higher) and block outdated or weak settings.
Why has my FTP client stopped working after switching to a PCI-Compliant server?
This is most likely because Plaintext logins have been disabled. Plaintext FTP transmits usernames and passwords without encryption, violating PCI DSS requirements. To remain compliant, support for unencrypted FTP is disabled.
Use FTPS (FTP over TLS) or SFTP (SSH File Transfer Protocol) to connect securely. Most modern FTP clients support both—just update your connection settings.
Why is PCI compliance important?
It’s a mandatory requirement for any business that stores, processes, or transmits credit/debit card information. Non-compliance can result in fines, data breaches, and loss of ability to process payments.
Does moving to a PCI-compliant server make my website PCI compliant?
No. Server compliance reduces your scope, but your site/application must still meet PCI requirements, such as secure coding, regular vulnerability scans, and access controls.
Do I still need to run PCI scans on my website?
Yes. Even on PCI-compliant servers, you are responsible for scanning your site using an Approved Scanning Vendor (ASV). This is typically required quarterly.
How do I dispute a false positive in a PCI scan?
Gather supporting evidence (e.g. config files, headers, software versions), submit it to your ASV, and await their validation or request for further details.
For help with this, refer to our False Positive Guide (link opens in a new window).