Five questions every ecomm merchant should ask their managed host

A payment processor sends a questionnaire. A new enterprise retail partner runs a vendor security review. A PE firm asks for infrastructure documentation. The store goes to their host to pull the materials together and finds out what “managed and compliant” means when someone outside the relationship needs to verify it.

These five questions are worth asking before that moment arrives, and the way a host responds tells you what you need to know.

“Are we on shared or dedicated hardware, and what does that mean for our PCI scope?”

What you’re really asking is whether a vendor review requires evidence of environment isolation, proof of where your environment ends and another merchant’s begins, is something your host can produce?

Ask how they’d produce it specifically for your environment, not for the server. A host on dedicated hardware answers that directly. A host on shared infrastructure will explain how secure the server is instead, which is a different question.

“What does your responsibility model cover in a PCI assessment, and is it written down?”

Ask for the documented matrix by name before you sign anything. PCI DSS 4.0.1 Requirement 12.8.5 requires a written breakdown of both parties’ responsibilities, and a host that has one sends it to you without much fanfare.

A host without one describes their responsibilities in general terms and presents that as equivalent. Those two situations feel identical in a sales call and look very different when a QSA has a two-week window and needs a document.

“Can you provide ASV scan reports scoped to our environment, not the server?”

Most hosts on shared infrastructure run scans against the server and file one report covering every account on it. Requirement 11.3.2 is asking for something scoped to your specific environment, and those aren’t the same thing.

Ask which ASV they use, what the scan scope covers, and whether they can produce individual reports for your environment on a repeatable schedule. A host that answers all three and can show you a sample has done this before. One that treats it as a custom project the first time you ask has told you something useful about what every future request will look like.

“What happens to our invoice if our traffic triples on Black Friday?”

What you’re listening for is a specific answer: fixed-cost pricing that doesn’t move with traffic, a defined bandwidth threshold with a named overage rate, or a stated ceiling on burst pricing. “It depends on your server usage” is a conversation starter, not an answer, and that conversation tends to happen in December when the invoice is already in your inbox.

A retailer with 30-40% of GMV in Q4 deserves a number before the month, not an explanation after it.

“If a vendor security review requests compliance documentation, what do you provide and how quickly?”

Enterprise retail partnerships and PE processes come with structured requests: responsibility matrices, encryption policies, incident response procedures, quarterly scan evidence. Ask what they’d produce for a request like this, how long it takes, and whether you can see samples before you actually need them.

A host with a documentation library that turns these around in a defined window is not the same situation as one that builds it fresh every time. The difference comes up when someone external is already waiting on the answer, which is not the moment you want to be figuring it out.

The answers to these questions exist at every host. The difference is whether they exist as documents or as conversations. When someone external is already waiting, that distinction is the whole thing.

If you’re building a list of questions for vendor conversations and want to see how Nexcess Platform responds to them, talk to one of our experts. No agenda beyond the answers.