Information Supplement: PCI DSS Cloud Computing Guidelines

1 Executive Summary

Cloud computing is a form of distributed computing that is yet to be standardized1. There are a number of

factors to be considered when migrating to cloud services, and organizations need to clearly understand their

needs before they can determine if and how they will be met by a particular solution or provider. As cloud

computing is still an evolving technology, evaluations of risks and benefits may change as the technology

becomes more established and its implications become better understood.

Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients. If payment

card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment,

and will typically involve validation of both the CSP’s infrastructure and the client’s usage of that environment.

The allocation of responsibility between client and provider for managing security controls does not exempt a

client from the responsibly of ensuring that their cardholder data is properly secured according to applicable

PCI DSS requirements.

It’s important to note that all cloud services are not created equal. Clear policies and procedures should be

agreed between client and cloud provider for all security requirements, and responsibilities for operation,

management and reporting should be clearly defined and understood for each requirement.

1.1 Intended Use

This document provides guidance on the use of cloud technologies and considerations for maintaining PCI

DSS controls in cloud environments. This guidance builds on that provided in the PCI DSS Virtualization

Guidelines and is intended for organizations using, or thinking of using, providing, or assessing cloud

technologies as part of a cardholder data environment (CDE).

This document is structured as follows:

 Executive Summary – Includes a brief summary of some key points and provides context for the

remainder of the document.

 Cloud Overview – Describes the deployment and service models discussed throughout this document.

 Cloud Provider/ Cloud Customer Relationships – Discusses how roles and responsibilities may differ

across different cloud service and deployment models

 PCI DSS Considerations – Provides guidance and examples to help determine responsibilities for

individual PCI DSS requirements, and includes segmentation and scoping considerations.

 PCI DSS Compliance Challenges – Describes some of the challenges associated with validating PCI

DSS compliance in a cloud environment.

 Additional Security Considerations – Explores a number of business and technical security

considerations for the use of cloud technologies.



...