In this post I will not only share with you the hosts which I recommend for hosting e-commerce websites, but also I will explain some compliance nuances which many hosting providers prefer to avoid mentioning.
Wait. Can I simply host my e-commerce website with any hosting?
Practically, yes you can. Any hosting can physically host your e-commerce website.
That’s why on many hosts you can see the sections called E-Commerce hosting, WooCommerce hosting, Magento hosting, Prestashop hosting and so on.
When reading these sections on a hosting’s website in most cases you see nothing but some information (or rather promises) about great performance, outstanding technical support, 1-click e-commerce software install, SSL certificates and similar generic stuff.
This all sounds good. But this is simply not enough even if all the advertised cookies are true.
Hey! I know, I know! The hosting must be PCI compliant!
PCI DSS stands for Payment Card Industry Data Security Standard. And complying with these standards makes your e-commerce business much safer.
And yes, you better have a PCI compliant hosting. But this is just a part of the equation to solve if you have an e-commerce website.
Moreover, there are some important nuances:
- Hosts sort of avoid telling you they are 100% PCI compliant. And even those very few hosts which tell you so, they do not always reveal the whole details about PCI compliance which you should know.
- Even if a hosting is truly PCI compliant, it is not enough for your e-commerce website to be PCI compliant.
- Having a PCI compliant website may be not enough for securing your e-commerce business.
PCI compliant hosting does not guarantee that your website or business will be also PCI compliant
Be aware that if you ignore it or simply rely on your hosting when running your e-commerce website, then you are under a risk of getting a huge fine from several thousand dollars to a hundred thousand dollars per month and more.
Let me explain it in the following sections.
Without going into technical details – what makes me be responsible for PCI?
PCI compliance is the standards to protect e-commerce businesses and clients when they store, process or transmit cardholder data and/or sensitive authentication data.
Every e-commerce website should adhere to and comply with PCI requirements:
- Even if you don’t store the cardholder data.
- Even if you don’t process the payments on your website.
- Even if you just use PayPal, Stripe or other payment gateways.
- Even if you outsource the merchant things to a third party.
In short, if a client enters card information being on your e-commerce website (your server or/and your domain name), even if you just transmit the data to a processor without keeping it, you are responsible for PCI compliance.
PCI Compliance is after you even if you don’t store or process the sensitive data
After all, you as an e-commerce business owner are responsible for complying with PCI standards. Even if you think you outsource everything, it’s your task to make sure all parts and processes of your business and your partners touching card holders’ information are PCI compliant.
I want to host my e-commerce website. But why are most hosts not very clear about PCI compliance?
Hosting an e-commerce website from a technical point of view is generally the same as hosting any other website. That’s why you, as an e-commerce website owner, are just another client for a hosting company. And hosting companies want to have more clients obviously.
And since you, as an e-commerce business owner, are ultimately responsible for being PCI compliant, a generic hosting simply does not want to educate you regarding all the PCI stuff.
Hosts don’t like to talk about PCI Compliance (and compliancy) much
PCI compliance is a highly technical thing. And it regards not only IT, but also knowledge of laws. Most hosts simply don’t want to deal with this level of complication. And indeed, since most e-commerce website owners don’t really care about being CPI compliant, why would hosting companies bother educating you?
PCI compliant host is a solid foundation for your e-commerce business. But only advanced hosts invest time and money to not only become PCI compliant, but also train support to assist you being PCI compliant. Most other hosts just prefer keeping quiet about it or letting you do all the things yourself.
Also, some hosts do good efforts to meet the requirements of e-commerce website owners. And these hosts are ready to work with clients to make sure the client will comply with and adhere to PCI compliance.
Thus, it’s you, the e-commerce website owner, who are responsible for PCI compliance. And most hosts simply don’t want to dig into this entire PCI thing. It requires a host to invest into infrastructure, re-engineering hosting business processes, additional education of support staff etc.
Is it only the hosting that must be PCI compliant?
No. If you want your e-commerce business to be 100% PCI compliant, then all services, products, processes, third party providers and even physical things which are engaged in processing, storing or transmitting the sensitive financial data of your clients must be PCI compliant. For example, your software, your DNS provider etc.
If you take orders by phone, it goes even further. All aspects of your business which are connected with the storing, processing or transmitting the cardholder data are to be PCI compliant.
That’s why PCI compliance of your e-commerce website and your hosting are necessary but may be not sufficient. You hosting is just a part of the PCI compliance, although an important part.
I have a small e-commerce website which barely makes any income. I don’t want to bother about this PCI thing at all
It looks like most e-commerce websites owners do exactly so. They don’t really care of PCI compliance. This all still looks like the Wild West. You take your own risks when making a decision about how you run your e-commerce business.
PCI Compliance is a serious thing. But don’t be overwhelmed with it.
PCI compliance is not the law, but the recommendations for your security and safety. Also, if a data breach takes place then you can be accountable for it and face huge fines which for most small and even medium–sized businesses mean huge losses or bankruptcy.
In any way, a hosting which is PCI compliant raises your chances to avoid troubles greatly.
Additional links and resources for e-commerce business owners concerned about PCI compliance
Conclusions and my recommendations
If you have an e-commerce website and have anything to do with card holder’s sensitive data (i.e. you store, process or simply transmit it), you should comply with and adhere to PCI standards. This is a pretty technical thing though. This is not a law, but the standards which are to help you avoid huge fines in case of cardholders’ sensitive data breach.
Although most small-sized e-commerce businesses are not 100% PCI compliant, getting a hosting which understands the PCI compliance (and which is PCI compliant itself in the first place) is the right thing. It will help becoming more secure and lower the risks of getting into huge troubles considerably.
-
Choose a hosting which is not only PCI compliant itself, but which also is ready to help a client (i.e. you) be PCI compliant. Below I share with you the hosts which suit perfectly. Even if you are not going to comply with the PCI Standards to the full extent, you are better to host with a hosting provider which does comply with and understand the PCI thing.
The hosts that I recommend and which work perfectly with small-sized and middle-sized businesses are LiquidWeb, WP Engine and Kinsta.
- My first choice of PCI compliant hosting is LiquidWeb. It’s the most professional hosting for any web application (not just WordPress) with a very reasonable pricing (e.g. here’s a WooCommerce managed plan offer). LiquidWeb will work with you on your PCI compliance the most profound way. It’s not only a PCI compliant host, but it also helps you to be PCI compliant, including offering a PCI compliance scanning service from an Approved Scanning Vendor.
With LiquidWeb complying with PCI standards is the easiest.
- WP Engine is another hosting provider that makes it easier for you to comply with PCI standards. WP Engine focuses on managing WordPress sites only (including WooCommerce sites).
- Kinsta is another hosting that I recommend for e-commerce sites based on WordPress. The host works with you closely to make sure your e-commerce website is PCI compliant. This is the information on its website for e-commerce website owners who are eager to comply with CPI standards.
- Other hosts (including shared hosting plans) also provide options for hosting e-commerce websites. But if you go with a shared hosting (e.g. the ones from my recommended list), I suggest choosing the hosts with best speed performance and the hosting since e-commerce websites are very resource-intensive.
I’ve got a summary table with different shared hosts’ speed tests since 2016. It may help.
Also in case of a shared hosting, I’d recommend choosing the most powerful shared hosting plan available (in terms of CPU and RAM) for better speed. It is still cheaper than fully managed hosts like the ones I recommended above all.
Besides, I’d suggest contacting sales support of each hosting and discuss your case. And go with the host that you like the most.
- My first choice of PCI compliant hosting is LiquidWeb. It’s the most professional hosting for any web application (not just WordPress) with a very reasonable pricing (e.g. here’s a WooCommerce managed plan offer). LiquidWeb will work with you on your PCI compliance the most profound way. It’s not only a PCI compliant host, but it also helps you to be PCI compliant, including offering a PCI compliance scanning service from an Approved Scanning Vendor.
- Pay extra additional attention to your website security. Using a security plugin is a must, but not enough. You need to secure traffic even before it gets to your server. For small and mid-sized e-commerce websites Sucuri is the best choice because of the security level they can provide for the given price (here’s an article about PCI compliance from Sucuri).
- Using an SSL goes without saying. By the way, even a free SSL certificate like Let’s Encrypt is fine. It’s technically as reliable as other paid certificates.
You can download a PDF version of this article (498 KB):
BTW, I respect your privacy, and of course I don't send spam, affiliate offers or trade your emails. What I send is information that I consider useful.
Your post is amazingly written and quite detailed! My cousin has been using WordPress with WooCommerce installed on it for some years now! He did not face any trouble or issues with either the hosting or WordPress and he is quite satisfied with the seamless nature of these platforms. Also, just for your information, if you are to accept card payments, your website must be PCI DSS compliant. PCI DSS is a proprietary information security standard for organizations intended to protect cardholders against misuse of their personal information.
Having an e-commerce website that runs without issues is worth a lot!
Hey Micheal;
Really admirable post. I really love the way you explain things so easily.
I have a question in my mind.
Does that selecting hosting server really matter ranking on google?
Ayush, the short answer is No.
The longer answer is that if you go with a terrible host which will put you offline half of the time and/or make your site too slow, then it may affect ranking to some extent. But you will sooner quit the host because it will be impossible to work in the website dashboard.
Thanx for replying Micheal! It really helps me a lot.
You are welcome!
Michael,
After a long time, I have been to your blog today. Good to see your recommended hosts for eCommerce sites and sharing crucial things to consider. Usually, people don’t care about PCI compliance and all.
Jenna,
Yes, PCI compliance may sound complicated to some people.
Thanks for your comment.
G’day Michael,
its been a little while since my last contact with you.
You usual high standard of info (and the PDF downoad – Yea!) is as per expected.
Thanks for the article (and the links) which I have downloaded already.
On a different note… I was thinking about your position on the internet – your email contact list, your general “followers”… etc and I am curious as to the skill level of the people who follow your postings?
If they are similar to myself (semi skilled in websites) then would you consider regular postings on a seperate blog page to explain some of the more basic upskilling ideas that people would normally use on their own websites? As a suggestion, (if you use facebook) you might add regular postings where it would be easier for people to view you posts AND share them around with others on fb… in addition to adding in your usual affiliate commission sites as you do now on your blog.
you may even like to consider allowing others to share their ideas with your followers on the same blog page to encourage positive discussion?
For example – How did you set up your page subject link to your heading (or subject matter) within your article as you have done within this article above? (I really would like to know)….
I guess what I’m asking is for you to consider catering for the less skilled website builders – like myself!
I leave this idea with you with appreciation of your skills.
sincerely
Bruce
Hey Bruce,
Glad that you enjoy my content and the PDFs 🙂
Thanks a lot for your comment and suggestion. I’ve been expecting a request like that sooner or later, but I had been reluctant to do anything about it till now LOL.
You are welcome to join my Facebook group. I published my reply to you there as it’s not very short and it’s actually a bit of off-topic 🙂
And here’s the link to my reply (for those who will see it much later).