Skip to main content

Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations

September 04, 2019

This post is the first in a three-part series dedicated to companies working with service providers relating to PCI compliance.

  • Part 1 (below) focuses on working with cloud service providers and understanding the obligations of your organization and the provider.
  • Part 2 will center on third-party risk management life cycles as they apply to PCI.
  • Part 3 will discuss ways to remediate issues around due diligence deficiencies.

The PCI consulting practice at Optiv performs hundreds of PCI-related engagements each year, including ROCs, SAQs, gap assessments, readiness assessments, and executive workshops. One of the frequently-requested topics of conversation is all about PCI compliance in the cloud. We’ll address different facets of this topic in this article.

"Cloud" is that overused IT pronoun that has many different meanings in different contexts. We'll address some of these perspectives here.

Infrastructure as a Service (IAAS) and PCI

Organizations using IAAS as a part of their cardholder data environment (CDE) typically design and implement an environment consisting of servers with their respective operating systems, database management systems, applications, tools, and supporting services; as well as firewalls and other network devices. The IAAS environment will probably utilize a defined demilitarized zone (DMZ).

The misnomer of cloud services is that the cloud service provider takes care of all security matters. This assumption is patently WRONG. The fact of the matter is this: no matter where, or in what form, the CDE infrastructure is located, the cloud customer is responsible for all infrastructure-related PCI controls (the only exception is physical security, which we'll cover shortly). An organization that places its workloads in the cloud is responsible for implementing and managing firewalls, intrusion prevention system (IPS), file integrity monitoring (FIM), event logging and alerting, anti-virus, server hardening standards, network architecture, and all of the other controls regarding user and administrative access controls, monitoring, reviews, policies, and so on. From a PCI perspective, moving from an on-prem data center to the cloud absolves an organization of ONLY the physical security controls. However, even here, organizations are not entirely off the hook.

Regarding physical security.

An organization that is in a co-location or an IAAS environment is still indirectly responsible for physical security. In these situations, organizations need to ascertain whether their co-lo or IAAS providers are themselves PCI compliant. Generally, this is done by asking for their "attestation of compliance" (AOC), a formally signed document that asserts their compliance to applicable PCI controls. If the co-lo or IAAS provider doesn't have this, organizations will have to determine through other means the degree to which they are PCI compliant.

Further, in any co-lo or IAAS situation, organizations should complete a PCI Responsibility Matrix. This is a worksheet that details the responsibilities for all PCI controls, specifying which party(ies) are responsible for which controls, and how they test and attest to those controls. The PCI Responsibilities Matrix is available from the PCI Standards Council in the Information Supplement on Third-Party Security Assurance document. While this can be tedious to complete correctly, all parties must understand and agree to their stated responsibilities for PCI controls.

Software / Platform as a Service (SAAS/PAAS) and PCI

Organizations using SAAS or PAAS environments that are a part of their CDE have an obligation that is similar to the IAAS discussion described earlier. Typically, a SAAS or PAAS environment will have a somewhat larger share of responsibilities than an IAAS service provider. Instead of just being responsible for physical security, a SAAS and PAAS organization will also manage its own network architecture, server security, firewalls, security monitoring, administrative access, and more.

Because of the variance among SAAS and PAAS orgs, it’s doubly important to complete a PCI Responsibility Matrix so that there are no ambiguities with regards to responsibilities for every PCI control. This matrix is included in the PCI Standards Council's Information Supplement on Third-Party Security Assurance document. But don’t just skip to the appendix; instead, it is important to understand the narratives as well.

Regardless of the type of relationship you have, it is critical as a cloud customer that you clearly understand your responsibilities.

Be sure to check our blog soon for Part 2 of this series where will explore these third party relationships in more detail.

    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

    Sean Smith

By: Sean Smith

See More

Related Blogs

September 04, 2014

Establishing A Zero-Trust Infrastructure

When looking at a security posture, the main concern is usually about blocking a potential attacker who sits outside our network from getting inside o...

See Details

May 10, 2017

PCI Compliance Every Day

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the relea...

See Details

October 29, 2018

Leveraging Risk Strategy to Move Beyond Check-Box PCI Compliance

Merchants often put compliance spending at the top of their list for budgeting purposes because the consequences of non-compliance can be expensive. F...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.