For shared hosting providers, what is required to protect hosted environments?

• A. The hosting provider is solely responsible for customer PCI DSS compliance
• B. Customers' data in hosted environments is not subject to PCI DSS
• C. Shared hosting providers protect only the provider's own environment
• D. The hosting provider must protect each entity's hosted environment and data; the customer entity must still comply with PCI DSS

Answer: (D)

Shared hosting creates a multi-tenant environment, so security responsibilities are shared between the provider and each customer. The hosting provider must implement controls that protect every tenant’s hosted environment and data, including proper isolation, access controls, patching, vulnerability management, and monitoring to prevent cross-tenant exposure. At the same time, each customer remains responsible for applying PCI DSS controls to its own cardholder data and processes within that hosted space, and for ensuring their portion of PCI DSS compliance is met. This combination—provider protection of every hosted environment plus ongoing customer compliance for their data—is the correct approach. The other options incorrectly assign sole responsibility to the provider, exempt customer data from PCI DSS, or limit the provider’s protections to only their own environment.