What ecomm shared hosting looks like during vendor security review

Then her supplier compliance team sends an email.

The questionnaire

Before onboarding can proceed they need to complete a vendor security assessment. Standard process for all new digital suppliers. They want infrastructure architecture documentation, evidence of PCI compliance posture, a written breakdown of the responsibility model between your business and your hosting provider, and quarterly vulnerability scan results if available. Three weeks to respond.

You forward it to your host the same afternoon. You’ve been on managed hosting for two years. Security is part of what they sell. This should take a day or two.
Your host gets back to you. They’re helpful. The servers are PCI-compliant, they confirm, and they’ll send over their data center certifications and security documentation. You open the questionnaire alongside what they’ve sent and start going through it line by line.

Where the gap shows up

The certifications cover the certifications section. Then you get to the responsibility model question, a formal breakdown of which controls the host owns versus which ones you own under PCI DSS 4.0.1, and there’s nothing to put there. The understanding has always been that they manage the server and everything above it is on you. Nobody wrote that down. There was never a reason to.

The quarterly scan question is the same problem. They run ASV scans, but one report against the whole server, covering every account on it. The questionnaire wants results scoped to your environment specifically. That report doesn’t exist.
You write back to the compliance contact and tell her you’re still pulling things together.

Three weeks later

You’ve sent two more updates. The buyer is still warm but the compliance process isn’t hers to move. The purchase order that was supposed to land by the end of quarter is sitting in a thread that’s getting quieter.

What you’re learning isn’t that your host did anything wrong. They do what commodity managed hosting does, which is manage the server, and they do it fine. Nobody has ever asked them to produce documentation for an external compliance review before, because nobody external has ever asked you for one before. The gap between what exists and what an enterprise retailer needs to see was always there. This is just the first time someone needed to look.

The other version of this

When the questionnaire arrives, the file already exists.
The responsibility matrix is a real document, written, covering which controls the host owns and which the merchant owns against specific PCI DSS 4.0.1 requirements. ASV scans run against individual environments and the reports are current. The response to the supplier compliance team goes back in a week.

The purchase order lands by the end of quarter. The buyer looks good internally for bringing you in. The relationship starts on the timeline everyone agreed to.
The product is exactly the same in both versions. So is the buyer’s interest in it. The difference is whether the hosting underneath the store was built to be verified by someone who doesn’t know you, doesn’t know your host, and needs the documentation to make the call for herself.

Why this matters at your stage

Most stores at $5M GMV have never been through a vendor security review, so this gap exists and hasn’t mattered yet. By $10M the partnerships that drive the next phase tend to come with procurement processes that assume the documentation is already there.

Finding out it isn’t is slower to surface than a bad Black Friday, and considerably harder to fix while the purchase order is waiting.

About the author

[Name] is a [title] at Nexcess, a Specialty Cloud company that builds solutions for ecomm merchants whose next stage of growth depends on partnerships that come with procurement teams. If your store is in that $10M threshold and you’re not sure your current setup would hold up to a vendor security review, that’s worth a conversation.