Question: We have a PCI Compliant App but are not currently PCI Compliant. If we moved this application to a PCI Compliant Web Hosting Service do we still NEED to be PCI Compliant?
Answer: Simply outsourcing some or all of your organizational functions does not mean you don’t still have to comply with the DSS. There are organizational, procedural, and documentation controls which must also be met. For example, even if you moved your app to said hosting service, you would still need to ensure that the organization itself appoints someone to handle the PCI compliance program, would still need to conduct a risk assessment, would still need to document controls used either in their own organization or by the hosted organization, would still need to have secure SDLC (systems development life cycle) processes in place, would still need to perform penetration testing against the application, etc.