What is PCI Compliance in the Cloud – Detailed Guide

The payment card industry faces constant threats of breaches. CreditDonkey reports that credit card fraud affected 47% of Americans in the past five years. Malicious actors steal card data every two seconds, highlighting the urgency of strong security measures.

If you are a merchant who processes or accepts payment cards, you have to store card data on a secure cloud. But which service provider offers the best PCI compliant cloud?

TLDR

Some of the best PCI compliant cloud providers are IBM cloud service, AWS, DigitalOcean, Microsoft Azure, Google Cloud Platform, and Oracle Cloud.

Before partnering with a cloud provider, check their responsibility matrix and attestation of compliance.

Why should your cloud be PCI compliant?

If you are a vendor who processes, manages, or transmits cardholder data in your IT environment, compliance with the Payment Card Industry Data Security Standard or simply PCI DSS is mandatory. 

PCI aims to secure payment card information from fraudulent actors or unauthorized access which can result in financial theft. When you sign up with major credit card providers such as VISA, Mastercard, and American Express, non compliance with PCI can lead to a number of consequences. 

This means that your cloud service provider should implement the security controls and protocols mandated by PCI 4.0. 

“One of the significant changes in PCI DSS 4.0 is the introduction of the customized approach. Unlike the prescriptive nature of earlier versions with defined controls, this version allows organizations with higher security maturity to conduct targeted risk assessments. They can determine if they qualify for the customized approach, define their own controls, and implement their own methods. This flexibility fosters innovation in payment security.”

Swapnil Tripathi, PCI QSA, ISO LA and Green belt LSS at Sprinto

Check out this video on what’s new in PCI DSS 4.0:

Top PCI compliant cloud providers 

If you accept any major card as a payment channel, you need a secure cloud provider to securely store data. Some of the top compliant cloud providers include: 

IBM cloud service

IBM cloud offers Level 1 (merchants processing over six million annual transactions) service for PCI DSS. Merchants can use their cloud platform to process transactions in a PCI compliant environment. IBM platforms are PCI DSS Attestation of Compliance (AOC) certified by a Qualified Security Assessor (QSA). 

IBM’s PCI services include:

• FortiGate Security Appliance to reduce risks by implementing critical security controls
• Hardware firewall that deploys an additional layer of security to protect network from external threats
• IBM QRadar Suite, an advanced threat detection and response service to aid security analysts respond to threats throughout its lifecycle.
• IBM Key Protect helps to securely store and manage encrypted key across cloud deployments

AWS

Amazon Web Services (AWS) is a certified Level 1 PCI service provider. AWS offers a host of services that fully comply with PCI requirements. Some of these services are Amazon API Gateway, Amazon Chime,  Amazon Fraud Detector, AWS Security Hub, and Amazon DataZone. 

Amazon offers a suite of tools to help merchants stay compliant with PCI. 

• Amazon GuardDuty: Detects threats and suspicious activities in your AWS environment and maintains compliance through continuous monitoring and threat detection.
• Amazon Inspector: Automates vulnerability assessments and scans for security flaws. Supports PCI compliance through regular vulnerability management and system testing.
• AWS Artifact: Offers easy access to AWS’s compliance reports, including PCI DSS AOCs to help vendors verify the compliance posture.

DigitalOcean

DigitalOcean is a multinational cloud service provider that offers a secure platform for businesses to build and run their projects. Their data centres like NYC1, NYC3, AMS3, SFO2, FRA1, and are PCI DSS certified. 

DigitalOcean runs on a shared responsibility model; a cybersecurity framework that clearly defines and divides the roles and responsibilities between the service provider and customer. Prospects can download the compliance certifications to understand the auditing and vetting process. 

Microsoft Azure 

Microsoft Azure is PCI 4.0 compliant Level 1 service provider validated through an approved QSA. Vendors can use the Azure platform to develop and manage a cardholder data environment in a PCI approved manner. 

Azure also has a shared responsibility matrix that states the areas of accountability for all PCI requirements. Their policy’s built-in initiative for PCI DSS maps to compliance domains and controls, highlighting responsibilities—customer, Microsoft, or shared. 

Each PCI DSS control links to Azure Policy definitions, helping assess compliance, though it offers only a partial compliance view. Azure Policy enforces standards and assesses compliance at scale. Its dashboard provides an aggregated compliance overview with drill-down options for detailed insights.

Google Cloud Platform (GCP)

GCP is one of the largest cloud computing services. It undergoes a third party audit annually to certify their products against PCI guardrails to offer a secure environment for processing, sharing, and transmitting cardholder data. Businesses can refer to Google’s shared responsibility matrix for PCI to understand to ensure compliance. 

GCP’s step by step instruction to set up a payment processing environment is listed on their website. The manual includes directions for creating a new account, restricting access to the CDE, setting up virtual resources, and implementing a secure package management solution.  

Oracle Cloud

Oracle offers a comprehensive suite of integrated cloud platform services that comply fully with PCI requirements. Vendors can use their attestations to generate compliance reports and conduct independent security assessments of compliance controls. 

Oracle’s services and products like the end to end cloud infrastructure, applications, NetSuite, and platform for healthcare industries are all compliant with PCI DSS. 

Salesforce

Salesforce is a cloud based solution provider for sales and e-commerce services. A third party PCI QSA evaluates their systems and processes on an annual basis and issues an AOC. 

Their billing system does not store card information at any transaction touchpoint – before, during billing, or after. It transmits the card data using a token linked to the personal account number (PAN), which is unique for each merchant. This prevents malicious actors from stealing card data as the token does not store the actual payment information.

VMware Cloud

VMware, a cloud computing and virtualization technology company is PCI DSS 3.2.1 Level 1 Service provider certified. Their cloud deployed on AWS offers PCI compliant software-defined data center (SDDC) that helps vendors maintain and manage compliance. 

VMware functions on the principle of separation of duties and a shared responsibility model for all involved parties; customer, VMware, and AWS. 

To ensure a PCI compliant SDDC, customers are required to deploy a new VMware cloud on AWS SSDC, configure the SSDC, migrate systems or applications that fall within the scope of PCI, and harden your SSDC to ensure compliance. 

Red Hat OpenShift

Red Hat OpenShift is a hybrid cloud and containerization platform. It is PCI 4.0 compliant. Coalfire Systems, a trusted PCI QSA conducts technical review of Red Hat OpenShift. 

The Product Applicability Guide (PAG) evaluates how OpenShift Platform Plus aligns with PCI DSS 4.0 requirements. PAG aims to inform customers considering OpenShift for their compliance programs.

Sprinto – PCI compliance automation for cloud hosted companies

Sprinto is an end to end automation platform for vendors who want to manage, implement, and maintain compliance with PCI requirements. 

It connects with your cloud setup to enforce PCI requirements by continuously scanning your cardholder data environment for non compliance. This way, you can complete quarterly scans with confidence, conduct self assessments with ease, and pass audit checks without fail. 

Sprinto offers a comprehensive set of tools to enforce PCI controls, automate vulnerability detection, trigger alerts in real time, and continuously monitor the CDE. 

Automate PCI DSS compliance effortlessly. Get a demo.

Partnering with PCI compliant cloud vendors: key considerations  

While the popular cloud provider providers like AWS and Google have the right measures and certifications in place, here are a few items that should be on your diligence checklist for partnering with smaller vendors:

Attestation of compliance

A PCI attestation of compliance validates the system’s adherence to the 12 requirements. When you store sensitive data on a third party system, it is their responsibility to implement the strict controls and measures to secure your data against malicious actors. 

From a PCI compliance standpoint, it’s crucial to maintain an AOC from your cloud service provider. PCI DSS mandates that businesses verify their CSP’s compliance annually through a formal statement that confirms the CSP’s responsibility for meeting its requirements. If the CSP is compliant, they should provide this documentation to customers.

Shared responsibility

Your vendor has to meet a long checklist of responsibilities to provide a safe data environment, but that does not absolve you from ensuring a few things from your end. 

This is where the concept of shared ownership or responsibility comes into play. When both parties have full transparency on what they are responsible for, there is little scope for error. 

Before onboarding a cloud service provider, go through their responsibility matrix. Implement the necessary measures and controls to protect your data. 

The smarter and faster way to compliance 

Achieving PCI DSS compliance secures your data and saves costs by reducing the chances of a data breach. Sprinto simplifies this process with innovative features that help you achieve compliance quickly and efficiently. Here’s what you can do with Sprinto:

• Monitor controls and identify risks across your cloud environment with 100+ seamless integrations.
• Continuously track vulnerabilities and compliance, backed by 99% platform uptime.
• Automatically collect evidence in a PCI-auditor-approved format, ensuring hassle-free audits.
• Streamline audit processes with a connected dashboard to log and share evidence, minimizing back-and-forth communication.
• Showcase your PCI-DSS and security commitment with a dedicated trust center page.
• Rely on expert guidance and implementation support to build an air-tight compliance program.

Contact our PCI experts to learn how we can help you.  

Ensure PCI cloud compliance through the entire lifecycle with the checklist below.

FAQs

How often should my cloud service provider undergo PCI attestation of compliance? 

Your cloud service provider should be certified through a third party qualified assessor at least once a year. This helps to ensure that the vendor does not fall out of compliance. 

What should I look for in a PCI compliant cloud provider?

Before partnering with a service provider, ensure the following:

• Verify the CSP has a current Attestation of Compliance (AOC) for PCI DSS.
• Review the CSP’s Responsibility Matrix to understand shared vs. customer responsibilities
• Confirm the CSP performs regular vulnerability scans and penetration tests.
• Confirm the CSP provides access to detailed logs for all customer interactions.

If my cloud service provider is compliant, does that mean I am compliant?

No, if your cloud service provider is PCI compliant, that simply means they have the right measures and controls in their cloud to prevent access to your data. You have to undergo an audit for your products and services against the 12 requirements of PCI to ensure compliance.