PCI DSS Cloud Computing Guidelines

The PCI Security Standardscouncil is an open global firm that is responsible for the development, management, education, and an awareness of the PCI Data Security Standard (PCI DS) and other standards that increase payment data security. It has issued PCI DSS Cloud Computing Guidelines that govern payment transactions in cloud environments.

Cloud computing is a form of distributed computing that is yet to be standardized. There are number of factors to be considered when migrating to cloud services, and organizations need to clearly understand their needs before they can determine if and how they will be met by a particular solution or provider. As cloud computing is still an evolving technology, evaluations of risks and benefits may change as the technology becomes more established and its implications become better understood.

Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients. If payment card data stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP’s infrastructure and the client’s usage of that environment. The allocation of responsibility between client and the provider for managing security controls does not exempt a client from the responsibility of ensuring that their cardholder data is properly secured according to applicable PCD DSS requirements.

PCI DSS Cloud Computing Guidelines provides guidance on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environment. This guidance builds on that provided in the PCI DSS Virtualization Guidelines and is intended for organizations using , or thinking of using, providing , or assessing cloud technologies as part of a cardholder data environment ( CDE)