The PCI DSS Cloud Computing Guidelines: An Executive Summary

Matt Getzelman, PCI Practice Director

The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing compliance at companies using a Cloud Service Provider (CSP).

For everyone else, we thought it would be helpful to put together a plain-English Executive Summary– the kind of things every business leader and IT executive should know about the guidelines. Here goes:

1.    This new supplement does not supersede or replace any requirements defined in the PCI Data Security Standard (PCI DSS).  Instead, the Cloud Computing Guidelines should be used by merchants, service providers and QSA organizations to:

  • Gain a better understanding of how cloud technologies impact PCI DSS compliance management.
  • Plan and prepare for upcoming PCI DSS assessments if you do use cloud service.
  • Perform proper due diligence before selecting a Cloud Service Provider (CSP).

2.    Share responsibility -- responsibly:  If you are using a CSP, you are almost certainly sharing control responsibilities with your vendor.  Every requirement needs to be covered by someone, and the best way to document who is doing what is via a “Responsibilities Matrix”.  When we do an assessment, this is among the first things we need to look at, and if you don’t have one, ask your CSP for their version and work with your auditor to create one for your organization.

Reminder #1:  The ultimate responsibility for cardholder data security always lies with the merchant (not the CSP) regardless of how PCI DSS responsibilities are mapped or contracted.  
Reminder #2: The PCI SSC recommends minimizing the reliance on the CSP for protecting cardholder data at rest.

3.    Carefully define the “In-Scope” Environment:  Cloud services and virtualization technologies can introduce new challenges for organizations trying to accurately define their cardholder data environment (CDE).  Coalfire recommends working with your virtualization or cloud service provider to fully understand how these technologies can affect your environment and sensitive data.  Coalfire works directly with many of today’s leading technology vendors and can help guide you past the hurdles associated with this rapidly emerging technology.

Tip:  When possible, encrypt sensitive data before it hits the cloud.  This will mitigate many of the data migration issues facing organizations using virtualization technologies.

4.    Using a “PCI Compliant” Provider – verifing claims with your own testing:    Using a “PCI Compliant” company does not equate to being PCI DSS compliant yourself.  This is a fairly common misconception.  Claims of “PCI Compliance” need to be verified and your CSP’s controls must be mapped to your own compliance management process.

5.    Ask your CSP about these Common Challenges:  

  • Changing CDE Boundaries:  The perimeter boundaries between your corporate environment and that of the CSPs cloud service can change unexpectedly.

    • Where does our security end and my CSP’s security start?

  • Audit Privileges:  Many CSPs will not allow certain types of vulnerability scanning, penetration testing or other audit related activities within their hosted environments.

    • Who tests and scans your systems?

  • Data Sovereignty and Legal Considerations:  Depending on the architecture of the CSPs offering, knowing how and where your data actually resides can be difficult.  

    • Is your data shipped overseas without your knowledge?

  • Security of Client Systems:  The security of the connected client environment can adversely affect the security of the entire cloud offering.  

    • Who do I share this cloud with?

The cloud is here to stay and the good news is this: you can definitely use a CSP and have well-managed, fully compliant architecture. Even better, it will likely be easier to maintain compliance, given the controls provided by your CSP.   Just remember to that it’s still your compliance program and you need to do your due diligence.

Matt Getzelman


Matt Getzelman — PCI Practice Director

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail RISE Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS