If you are a company that accepts, processes, transmits, or stores credit card payment information and you engage with a cloud service provider (CSP) to manage your infrastructure, it is important to understand how that impacts your PCI
compliance management.

Businesses that fail to comply with PCI standards risk having their data security breached, which could result in fines as high as $500,000 per incident. Your business could also be cut off from accepting credit card payments, and may end up dealing with potentially damaging customer lawsuits.

Cloud security and PCI compliance are shared responsibilities between the cloud service provider and the client. If payment card data is stored, processed, or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP’s infrastructure and the client’s application.

The allocation of responsibilities between client and CSP for managing security controls does not exempt a client from the responsibility of ensuring that cardholder data is properly secured according to applicable PCI DSS requirements.

When evaluating CSPs, it’s important to ask questions about their security practices and levels of responsibility. There is often a large variation in services offered by each provider. Clear policies and procedures should be agreed upon for all security requirements. Client vs. provider responsibilities for operation, management, and reporting should be clearly defined and understood for each requirement.

The folks at Coalfire have put the main points of the PCI DSS Cloud Computing Guidelines into an easy to understand executive summary.  

Five Point Summary:

1. The new supplement does not supersede or replace any requirements defined in the PCI Data Security Standard (PCI DSS). Instead, the cloud computing guidelines should be applied to:

  • Gain a better understanding of how cloud technologies impact PCI DSS compliance and management.
  • Plan and prepare for upcoming PCI DSS assessments if you do use a CSP.
  • Perform proper due diligence before selecting a CSP.

2. Share responsibility, responsibly. If you are using a CSP you are most likely sharing control responsibilities with your vendor.

  • Reminder #1: The ultimate responsibility for the cardholder data security always lies with the merchant (not the CSP) regardless of how PCI DSS responsibilities are
    mapped or contracted.
  • Reminder #2: The PCI SSC recommends minimizing the reliance on the CSP for protecting cardholder data at rest.

3. Carefully define the "In-Scope" environment. Cloud services and virtualization technologies can introduce new challenges for organizations trying to accurately define their cardholder data environment.

  • Tip: When possible, encrypt sensitive data before it hits the cloud. This will mitigate many of the data migration issues facing organizations using
    virtualization techniques.

4. Using a "PCI Compliant" provider - verify claims with your own testing. Using a "PCI Compliant" provider doesn't equate to being PCI DSS compliant yourself. This is a common misconception. 

5. Ask your CSP about common challenges:

  • Changing cardholder data environment boundaries. The perimeter boundaries between your corporate environment and those of the CSP's cloud service can
    change unexpectedly. 
    • Where does our security end and my CSP's security start?

  • Audit privileges. Many CSPs will not allow certain types of vulnerability scanning, penetration testing, or other audit related activities within their hosted environment.
    • Who tests and scans your systems?


  • Data sovereignty and legal considerations. Depending on the architecture of the CSPs cloud offering, knowing how and where your data actually resides can be difficult. 
    • Is your data shipped overseas without your knowledge?


  • Security of client systems. The security of the connected environment can adversely affect the security of the entire cloud offering.
    • Who do I share this cloud with?

To see the full PCI DSS Cloud Computing Guidelines post from Coalfire, click here.

For more information in selecting Cloud Service Providers using StrataCore’s market intelligence, click here.