Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations

Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations

This post is the first in a three-part series dedicated to companies working with service providers relating to PCI compliance.


  • Part 1 (below) focuses on working with cloud service providers and understanding the obligations of your organization and the provider.
  • Part 2 will center on third-party risk management life cycles as they apply to PCI.
  • Part 3 will discuss ways to remediate issues around due diligence deficiencies.


The PCI consulting practice at Optiv performs hundreds of PCI-related engagements each year, including ROCs, SAQs, gap assessments, readiness assessments, and executive workshops. One of the frequently-requested topics of conversation is all about PCI compliance in the cloud. We’ll address different facets of this topic in this article.


"Cloud" is that overused IT pronoun that has many different meanings in different contexts. We'll address some of these perspectives here.


Infrastructure as a Service (IAAS) and PCI


Organizations using IAAS as a part of their cardholder data environment (CDE) typically design and implement an environment consisting of servers with their respective operating systems, database management systems, applications, tools, and supporting services; as well as firewalls and other network devices. The IAAS environment will probably utilize a defined demilitarized zone (DMZ).


The misnomer of cloud services is that the cloud service provider takes care of all security matters. This assumption is patently WRONG. The fact of the matter is this: no matter where, or in what form, the CDE infrastructure is located, the cloud customer is responsible for all infrastructure-related PCI controls (the only exception is physical security, which we'll cover shortly). An organization that places its workloads in the cloud is responsible for implementing and managing firewalls, intrusion prevention system (IPS), file integrity monitoring (FIM), event logging and alerting, anti-virus, server hardening standards, network architecture, and all of the other controls regarding user and administrative access controls, monitoring, reviews, policies, and so on. From a PCI perspective, moving from an on-prem data center to the cloud absolves an organization of ONLY the physical security controls. However, even here, organizations are not entirely off the hook.


Regarding physical security.


An organization that is in a co-location or an IAAS environment is still indirectly responsible for physical security. In these situations, organizations need to ascertain whether their co-lo or IAAS providers are themselves PCI compliant. Generally, this is done by asking for their "attestation of compliance" (AOC), a formally signed document that asserts their compliance to applicable PCI controls. If the co-lo or IAAS provider doesn't have this, organizations will have to determine through other means the degree to which they are PCI compliant.


Further, in any co-lo or IAAS situation, organizations should complete a PCI Responsibility Matrix. This is a worksheet that details the responsibilities for all PCI controls, specifying which party(ies) are responsible for which controls, and how they test and attest to those controls. The PCI Responsibilities Matrix is available from the PCI Standards Council in the Information Supplement on Third-Party Security Assurance document. While this can be tedious to complete correctly, all parties must understand and agree to their stated responsibilities for PCI controls.


Software / Platform as a Service (SAAS/PAAS) and PCI


Organizations using SAAS or PAAS environments that are a part of their CDE have an obligation that is similar to the IAAS discussion described earlier. Typically, a SAAS or PAAS environment will have a somewhat larger share of responsibilities than an IAAS service provider. Instead of just being responsible for physical security, a SAAS and PAAS organization will also manage its own network architecture, server security, firewalls, security monitoring, administrative access, and more.


Because of the variance among SAAS and PAAS orgs, it’s doubly important to complete a PCI Responsibility Matrix so that there are no ambiguities with regards to responsibilities for every PCI control. This matrix is included in the PCI Standards Council's Information Supplement on Third-Party Security Assurance document. But don’t just skip to the appendix; instead, it is important to understand the narratives as well.


Regardless of the type of relationship you have, it is critical as a cloud customer that you clearly understand your responsibilities.


Be sure to check our blog soon for Part 2 of this series where will explore these third party relationships in more detail.

Peter Gregory
Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
Sean Smith
Practice Manager, PCI Advisory Services | Optiv
Sean Smith brings over 25 years of experience in information security, architecture, risk management, compliance, governance, strategy, and executive level leadership. In Sean’s role with Optiv, he is responsible for leading Optiv’s PCI Advisory Services organization. Sean has been a QSA for over 9 years and has been working in credit card compliance since before PCI DSS version 1.0. Over the course of Sean’s tenure with Optiv he has led and delivered numerous PCI DSS assessments and vCISO engagements providing executive level strategy on cardholder compliance, information security, and risk ensuring the successful implementation of strategies that align credit card compliance and information security with client business goals.

Prior to joining Optiv, Sean has the head of information security in several level 1 merchants and service providers in healthcare, finance, and retail verticals. Sean holds many industry certifications including CISSP, CISA, QSA, ASV, Secure Software Lifecycle Assessor, and Secure Software Assessor.