I investigated the PCI compliance process for my small non-profit a few months back. At this point, the PCI compliance process is a sham. It is neigh impossible for any small business to comply with the PCI certification process, using a PCI compliant datacenter or not.
What it comes down to is that the credit card industry is trying to can the beast that has been growing the past 30 years. The PCI compliance process is meant to force businesses to use major credit card processors to process any credit card transaction, making sure any credit card information is never in the end-merchant's hands (or computers).
The way the PayPal PayflowPro process works, is that your customer places an order on your website, then they are forwarded to PayPal's payment webpage (customized to your liking) to actually enter the payment, then the gateway sends back an 'OK' to your site, saying that the payment was processed.
This differs from what happened in the past, which is they would enter the credit card information on your site, then you passed that information to a merchant gateway, which then gave your site the OK. There are other merchant processors that do this same thing, such as authorize.net and Google Payments.
This change means that your website, and hosted server, does not need to be PCI compliant since credit card information never passes through it. Hopefully this doesn't come across as a rant, but the way they have been implementing PCI and 'scaring' customers with PCI compliance, and charging fees along the way, has been a joke.
You'll find plenty of companies willing to sell you PCI compliance services (even on this website) but in my opinion it is merely snakeoil.
No. PCI scope data is credit card numbers, which is typically referred to as the Primary Account Number. (PAN)
The definition from the glossary is as follows:
Acronym for “primary account number”
and also referred to as “account
number.” Unique payment card number
(typically for credit or debit cards)
that identifies the issuer and the
particular cardholder account.
Nevertheless, if located in the United States, you will likely be subject to state and federal laws by storing the social security number and I would suggest you treat it as PCI scope data. If you are not PCI compliant, I would seek the particular laws applicable and treat it as sensitive as possible within your environment. A good idea would be to consult a lawyer.
From a professional perspective, I like to treat data like this as carefully as possible. I often consider how the public would react to my actions if it were to be unintentionally disclosed and act as responsibly as possible.
Best Answer
Unless you process credit card transactions, PCI compliance is irrelevant for your purposes. Even if PCI compliance is relevant to you, the SAS 70 audit is more important for the purposes of verifying physical and environmental security of your servers, among other issues. However, keep in mind that a SAS 70 audit is considered a replacement from the organization (the data center in this case) being audited over and over by their clients and their client's auditors. Unlike most organizations, you are going to step foot in the data center and will observe many of the controls yourself. However, you still request a copy of the report and review it. Make sure it is current. Ideally, they have a Type 2 SAS 70 audit versus a Type 1 audit. Verify whether the auditor's opinion letter is unqualified (good) or qualified (means an issue was so significant that it was pulled into the letter), and that the scope seems relevant to the services provided.