Do I need to comply with PCI DSS since my cloud provider states that is “Compliant” ?

PCI DSS 3.2.1 PCI today 97 142 3

share close

High confidence is placed in the statement “I am PCI DSS compliant,” but what does this actually mean for the different parties involved?

Use of a PCI DSS compliant Provider does not automatically result in PCI DSS compliance for the Customers.

The Customer should confirm that the Provider is PCI DSS compliant and that the services used by the Customer were included in the Provider’s PCI DSS compliance validation.

Moreover, the Customer must still ensure that it is using the service in a compliant manner and is also ultimately responsible for the security of its CHD -outsourcing daily management of a subset of PCI DSS requirements does not remove the Customer’s responsibility to ensure that CHD is properly secured and that PCI DSS controls are met.

The Customer therefore must work with the Provider to ensure that evidence is provided to verify that PCI DSS controls are maintained on an ongoing basis.

An Attestation of Compliance (AOC) reflects a single point in time only;

However, maintaining compliance requires ongoing monitoring and periodic confirmation (e.g., at least once per year) that controls are in place and working effectively.

Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically transfer to the Customer environments within that cloud service.

For example, a Provider’s validation may have included use of up-to-date anti-virus software on the Provider’s systems; however, this validation might not extend to the individual Customer OS or VMs (such as in an IaaS service). Additionally, the Customer must still maintain compliance for all of its own operations -for example, by ensuring that anti- virus is installed and updated on all Customer-side systems used to connect into the cloud environment.

Similarly, a Customer’s PCI DSS compliance does not result in any claim of compliance for the Provider, even if the Customer’s validation included elements of the service managed by the Provider. As a result, a Customer should confirm that services provided by the Provider support its PCI DSS compliance.

Regarding the applicability of one party’s PCI DSS compliance to the other, consider the following:

  • If a Provider is compliant, this does not mean that its Customers are.
  • If one or more of a Provider’s Customers is compliant, this does not mean that the Provider is compliant.
  • If a Provider and the Customer are compliant, this does not mean that any other Customers are.

The Provider should ensure that any service offered as being PCI DSS compliant is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, detailing which aspects of the service have been validated as compliant and which have not.

Written by: PCI

Tagged as: , , , , , , , .

Rate it
Previous post