Web Hosting - Restricted Data, PCI, HIPAA

DoIT Web Hosting Service offers designated Linux and Windows platforms specifically configured to support certain types of restricted data, as defined here.

While these platforms include enhanced security controls, they are not fully PCI (Credit Card Data) or HIPAA (Health Information) compliant

Hosting Restricted Data:

Here are the guidelines if your website or application will handle restricted data:

  • Service Level: You must subscribe to a Platinum Service Level account.

  • Security Review: Before your site goes into production, a review will be conducted by the DoIT Web Hosting team and/or the Office of Cybersecurity.

  • Access Management: It is the responsibility of the primary contacts on the Platinum account to notify DoIT Web Hosting when a developer no longer requires access. We will then remove their account, revoke firewall access, and update our records.

Platform Security Features:

Network and Access Controls

  • Systems reside on specific restricted‑data subnets with tightened firewall rules.
  • Access to the Administrative Control Panel, Secure FTP (SFTP), and MySQL is limited to static WiscVPN IP addresses belonging to approved developers.

Individual Administrative Accounts

  • Each developer receives unique administrative credentials for tools such as SFTP and the Admin Control Panel.

Encrypted Communication

  • All sites will use valid TLS/SSL certificates to ensure that all data in transit is encrypted.

Application Isolation

  • Each website runs in a separate application pool (Linux/Apache and Windows/IIS) to keep applications isolated from one another.

PCI (Credit Card Data)

The restricted data platforms are not fully PCI-compliant for the direct processing, storage, or transmission of credit card data.

  • Permitted Use: Web site storefronts that redirect users to an external E-Commerce provider for payment processing via a merchant account through Business Services.

  • Non Permitted Use: Collection of credit card data directly processed, stored, or transmitted by your site.

HIPAA (Health Information)

The platform is not fully compliant with HIPAA security standards for Protected Health Information (PHI).  However, it can host data that has been de-identified according to UW-114 Policy.

Questions? webhosting@doit.wisc.edu 


Keywords:
restricted, sensitive, data, site, security, SSL, firewalls, PCI, HIPAA, PHI, secure, certificates, credit cards, payment, cashnet, storefronts 
Doc ID:
29536
Owned by:
Jake S. in DoIT Web Hosting
Created:
2013-04-17
Updated:
2026-01-07
Sites:
DoIT Web Hosting