PCI DSS and the Cloud – a Contradiction?

Expert advice by Nicolas Schiller, consultant and PCI auditor, on dealing with cloud service providers in the context of PCI DSS.
Do I have to consider anything specific regarding my company’s PCI DSS certification when choosing a cloud provider?
Nicolas Schiller: Yes. In fact, your cloud service provider is required to meet the PCI DSS requirements as well if systems relevant to PCI are intended to be run in the Cloud. Otherwise you would risk your own PCI DSS compliance.
Does that mean I have to include the cloud service provider in my own certification project?
Nicolas Schiller: While that would be possible, we wouldn’t recommend doing that. Looking at the increasing efforts needed for your own certification and the usual lack of feasibility of such an approach, we recommend selecting an already PCI-DSS-certified service provider instead.
What else should I consider when working with a cloud service provider?
Nicolas Schiller: It’s very important that responsibilities are properly assigned. Otherwise you would risk PCI DSS requirements being ignored because both contract partners assume that the other one is responsible. Besides, this is an important PCI DSS rule for working with service providers in general.
Do these requirements pose a problem when selecting a cloud service provider?
Nicolas Schiller: No, they usually don’t. The popular cloud service providers all offer PCI-DSS-certified services and usually also provide a list of assigned responsibilities.
Does that mean my company is no longer responsible for PCI DSS compliance if I outsource my PCI environment to a PCI-DSS-certified service provider?
Nicolas Schiller: Unfortunately, it’s not that simple. While it’s possible to outsource your own PCI environment to the cloud, a few or multiple tasks remain with you, depending on the service you are using. We review those on an individual basis and advise you accordingly.