It doesn’t take a keen observer to notice that the term cloud doesn’t even exist in PCI DSS 2.0. In fact, the “Find” feature will do that for you. Sure, strides were made to include Virtualization into the fold (even in spite of many individuals arguing you don’t need to include it, just apply the standard to it), but that is only the first of many steps on the journey to the cloud.

Strange Clouds, by michaelroper

If you are on the very front edge of the cloud transformational wave, you may have had to discuss how you use cloud with your QSA. My bet? It was a painful discussion that left both parties leery of the other. My comments in this month’s Digital Transaction Magazine (page 34), and Matt Springfield’s post on the quality of QSAs, help sum up my thoughts on why this might be.

Merchants and service providers considering cloud solutions must do their best to combat against inexperienced QSAs (or the FNG) by leading them through the discussion on the architecture of the solution, and how the solution meets all the controls of PCI DSS (if it is in scope). As part of this charge, you must be responsible about truly meeting the requirements of PCI DSS and not trying to fake your way through an assessment. That won’t help you in the long run (or depending on how much you fast talk, the short run).

The main reason why you don’t see cloud in PCI DSS 2.0 is the lack of rigid definition and maturity of the technology. Many folks have their own opinions on how things should run, including vendors like the company I work for, and there is no major consensus in the market yet. So if you are considering cloud, here’s what you need to do to ensure you won’t have a snag with PCI DSS:

  1. MAP YOUR DATA! Seriously folks. I can’t stress this enough. I have yet to find the company that has a clear picture of how data flows throughout their enterprise.
  2. Show clear separation of cloud services from PCI DSS related data if you want to keep your cloud out of scope for PCI DSS.
  3. Gather required documentation to prove your cloud solution DOES comply with PCI DSS if you choose to put PCI DSS data in there (hint, most public cloud providers won’t be able to do this for you).
  4. Walk your QSA through your cloud solution, in detail, with all supporting documentation mapped out for them so you can push your way to a successful assessment.

This post originally appeared on