For shared hosting providers, what is required to protect hosted environments?

Shared hosting creates a multi-tenant environment, so security responsibilities are shared between the provider and each customer. The hosting provider must implement controls that protect every tenant’s hosted environment and data, including proper isolation, access controls, patching, vulnerability management, and monitoring to prevent cross-tenant exposure. At the same time, each customer remains responsible for applying PCI DSS controls to its own cardholder data and processes within that hosted space, and for ensuring their portion of PCI DSS compliance is met. This combination—provider protection of every hosted environment plus ongoing customer compliance for their data—is the correct approach. The other options incorrectly assign sole responsibility to the provider, exempt customer data from PCI DSS, or limit the provider’s protections to only their own environment.