PCI Compliance in the Cloud: A Beginner’s Guide

By on Nov 07, 2014

If your organization handles credit or debit card information, you likely need to follow the Payment Card Industry Data Security Standard. PCI DSS is not a government regulation, but since it is required by all the major payment card brands including Visa, MasterCard, and American Express, it carries as much weight as law for a company that needs to accept credit and debit cards. For anyone new to PCI DSS it can be difficult to understand the requirements and know what your organization needs to do to avoid penalties.

Perhaps that’s why only 11% of organizations meet all 12 PCI requirements, according to a Verizon compliance report. We’ve pulled together some of the best resources on PCI, including great blogs and guides that distill what you need to know into plain English. If you’re just looking for resources, skip to the end of the post where you’ll find dozens of helpful links to get started.

What is PCI Compliance and why is it important?

The security of cardholder data is of the utmost importance to major card brands, and that’s why they merged their independent security programs into the PCI DSS and formed the Payment Card Industry Security Standards Council (PCI SSC) to keep it updated and enforced. Implementing the standards at your company can help reduce the risk of a breach involving payment card information. In the case of Target, a major breach of cardholder data damaged the company’s reputation so badly with consumers that its profit dropped 46 percent, resulting in the company ‘s CIO and CEO resigning.

Being PCI compliant also reduces the risk of fines levied by credit card brands in the event of a breach. Penalties for PCI violations are not widely publicized, but they can be severe. In 2010 Visa fined Heartland Payment Systems $60 million following a breach. In some cases, when a payment brand like Visa levies a fine, they send the bill to the merchant bank that processes your credit card transactions.

Your bank will likely pass the bill on to your company. In addition to the fine they may also increase the transaction fee for every purchase they process on your behalf or even terminate your business relationship altogether. While breaches are no longer uncommon, being PCI compliant can lessen the pain of that breach by reducing the risk of fines or other penalties.

The 12 PCI Requirements

The PCI standard is divided into 12 requirements. Each of these requirements contain detailed sub requirements. For example, Requirement 3 is focused on protecting stored cardholder data. Most of the implementation details are in the sub-requirements, such as sub-requirement 3.3 that specifies organizations must mask the payment account number, displaying in plain text no more than the first 6 and last 4 digits for most users. A customer support representative in a call center can confirm the account number using the last 4 digits and does not need access to the full account number.

For detailed information on the 12 PCI DSS requirements and their sub-requirements, check out the links and cheat sheet at the bottom of the article.

When it comes to using cloud services, there are some specific steps you’ll need to take to meet PCI DSS. First, you’ll need to audit where card data is stored and transmitted. Regardless of your policy, you may find users are inputting card numbers in cloud services as part of their normal workflow, and that you’ll need to enforce data loss prevention policies for data transmitted to the cloud. Also, since only 2.9% of services enforce strong passwords, you’ll likely need a single sign-on solution to require strong passwords for the cloud apps your employees use. For more steps to make your cloud usage PCI compliant, download the PCI Cloud Compliance Requirements Cheat Sheet.

The 4 PCI Compliance Reporting Levels

Depending on the size of your company and the volume of credit card transactions you process, there are 4 different levels you can be placed in. The lower the level, the more stringent the reporting requirements are to be PCI compliant. Visa divides merchants into levels based on their transaction volume. All companies handling payment card information need to be PCI compliant, but companies with more than 20,000 transactions per year must also get third party validation of compliance. In this case, your company needs to hire Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) to perform validation.





Process less than 20,000 Visa e-commerce transactions annually and less than 1 million Visa transactions annually

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank


Process 20,000 to 1 million Visa e-commerce transactions annually

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form


Process 1 million to 6 million Visa transactions annually (all channels)

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form


Process over 6 million Visa transactions annually (all channels)

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
  • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

If you suffer a data breach, you can be moved to a higher compliance level with more stringent reporting requirements. Since third party validation and reporting can be time consuming and expensive, being placed in a higher level after a breach can put a burden on your business since you may not have the financial resources of companies that typically have reporting requirements due to the volume of their payment transactions.


We’ve compiled the best reference guides, toolkits, blogs, and official PCI documentation in one place so you can get started. Check out the links below for more information.

Security Recommendations

PCI DSS Quick Reference Guide – The official guide to PCI DSS, thorough and easily digestible. Explains the 12 requirements in detail.

PCI DSS pre-assessment: Managing the process to limit liability – Discusses legal steps to take during the pre-assessment.

PCI automation: Discovering the benefits – Identifies areas for potential automation of maintaining PCI DSS compliance.

PCI DSS 3.1 best practices – Teases out and explains the PCI DSS’s confusing language regarding data storage.

PCI FAQs – A comprehensive FAQ for PCI.

PCI Compliance Resource Center – A repository of whitepapers, webcasts, and case studies on PCI compliance.

PCI Compliance: Preparing for Changes – Details upcoming changes to PCI that will take effect next year.

Reducing Risk and Increasing Marketability with PCI-Compliant Community Clouds – Discusses the idea of secure clouds as a supplementary measure for PCI compliance.


Toolkits and Guides

The Prioritized Approach to Pursue PCI DSS Compliance – A highly detailed roadmap to achieving PCI DSS compliance with specific milestones.

P2P Encryption – Explains the PCI-required encryption methods.

Understanding the Self-Assessment Questionnaire – Overview guide for performing a self-assessment.

Free and low-cost tools for PCI DSS Compliance – A great list of PCI compliance tools

Approved Scanning Vendors – A complete listing of PCI Council-approved companies that sell scanning software.

QSA Companies – A complete listing of PCI Council-approved companies that assess PCI compliance.


Download the PCI Compliance Checklist

Get the 12 requirements of PCI and how to make your cloud use compliant.

Download Now


PCI Guru – Thorough discussions, helpfully indexed by relevant PCI compliance requirement.

PCI DSS News and Information – A great space that pulls together best practices and case studies.

Avivah Litan, Gartner Networks Blog – Fraud and bank security analyst Avivah Litan writes about PCI compliance and security aspects of payment systems.

Chaordic Mind – Insightful posts by one of the Security B-Sides founders.

Official PCI Documents

PCI DSS – Complete Official Rules

PCI DSS Glossary of Terms – Defines some common phrases used in the standard.

Approved Companies & Providers – Approved list of third party assessors, resellers, and encryption providers.

PCI Documents Library – The complete PCI documents library.

Additional Resources

American Express Data Security Operating Policy – Lists requirements that merchants must meet in order to accept American Express cards.

Discover Information Security & Compliance (DISC) – Provides information on Discover’s requirements, reporting, and fraud help desk contacts.

JCB Data Security Program – Provides three compliance validation procedures.

MasterCard Site Data Protection and PCI – Provides details on the MasterCard Site Data Protection (SDP) Program.

Visa Cardholder Information Security Program – Provides information for merchants that accept Visa.

Visa Europe Security – Provides information on how Visa manages PCI compliance for merchants in Europe.

Verizon PCI Compliance Report – Has useful statistics on the state of PCI compliance across the industry.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs