{"id":2284,"date":"2013-02-21T00:00:00","date_gmt":"2013-02-21T00:00:00","guid":{"rendered":"http:\/\/otava.test\/pci-compliance-conversations-with-a-cloud-service-provider\/"},"modified":"2013-02-21T00:00:00","modified_gmt":"2013-02-21T00:00:00","slug":"pci-compliance-conversations-with-a-cloud-service-provider","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/","title":{"rendered":"PCI Compliance Conversations With A Cloud Service Provider"},"content":{"rendered":"

Earlier this month PCI SSC published a new supplement, PCI DSS Cloud Computing Guidelines<\/a>, and throughout the whole resource, the most reverberated point had to do with understanding the clear differences in responsibility between the merchant and the cloud service provider (CSP).<\/p>\n

Several things are going to determine specific security responsibilities between the merchant and CSP, ranging from the type of cloud service the merchant is looking to use. Software-as-a-Service offerings are going to put more responsibility on the cloud provider than an Infrastructure-as-a-Service offering, for instance. Knowing first how the cloud is going to be used will provide a strong base for the rest of the conversation.<\/p>\n

It\u2019s also important to have a clear understanding of what components of PCI DSS the merchant is expecting the cloud service provider to be responsible for. This involves finding out what measures have already been verified by the CSP by receiving a copy of the provider\u2019s ROC (Report On Compliance). The independent audit report should shed light on the steps they take to maintain PCI compliance, and can also help the merchant insure that their procedures are in accordance to the newest guidelines. Who is going to be responsible for file integrity monitoring (FIM)<\/a>, or a daily log review<\/a>? What about disaster recovery options<\/a>? A merchant can\u2019t make assumptions about what services are going to be provided, but should have them carefully drawn out and explained so that they can properly fill the gaps.<\/p>\n

One of the most fundamental points to remember during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s. Just because a CSP is PCI compliant<\/a>, doesn\u2019t mean that working with them will automatically grant the merchant compliance. While it is a group effort between merchant and provider to address each component necessary to ensure a company\u2019s data is secure, the responsibility to make sure everything is sufficiently accounted for is ultimately on the merchant. The importance of a company doing their due diligence before choosing a provider is paramount.<\/p>\n

Supplemental Reading:
\nPCI Compliance With Service Providers<\/a>
\nCloud Computing and Compliance<\/a>
\n8 Questions to Ask Your PCI Hosting Provider<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier this month PCI SSC published a new supplement, PCI DSS Cloud Computing Guidelines, and throughout the whole resource, the most reverberated point had to do with understanding the clear differences in responsibility between the merchant and the cloud service provider (CSP). Several things are going to determine specific security responsibilities between the merchant and CSP, ranging from the type of cloud service the merchant is looking to use. Software-as-a-Service offerings are going to put more responsibility on the cloud provider than an Infrastructure-as-a-Service offering, for instance. Knowing first how the cloud is going to be used will provide a strong base for the rest of the conversation. It\u2019s also important to have a clear understanding of what components of PCI DSS the merchant is expecting the cloud service provider to be responsible for. This involves finding out what measures have already been verified by the CSP by receiving a copy of the provider\u2019s ROC (Report On Compliance). The independent audit report should shed light on the steps they take to maintain PCI compliance, and can also help the merchant insure that their procedures are in accordance to the newest guidelines. Who is going to be responsible for file integrity…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2284","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nPCI Compliance Conversations With A Cloud Service Provider | OTAVA<\/title>\n<meta name=\"description\" content=\"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI Compliance Conversations With A Cloud Service Provider\" \/>\n<meta property=\"og:description\" content=\"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-21T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"PCI Compliance Conversations With A Cloud Service Provider\",\"datePublished\":\"2013-02-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\"},\"wordCount\":372,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\",\"url\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\",\"name\":\"PCI Compliance Conversations With A Cloud Service Provider | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2013-02-21T00:00:00+00:00\",\"description\":\"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI Compliance Conversations With A Cloud Service Provider\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PCI Compliance Conversations With A Cloud Service Provider | OTAVA","description":"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/","og_locale":"en_US","og_type":"article","og_title":"PCI Compliance Conversations With A Cloud Service Provider","og_description":"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.","og_url":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/","og_site_name":"OTAVA","article_published_time":"2013-02-21T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"PCI Compliance Conversations With A Cloud Service Provider","datePublished":"2013-02-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/"},"wordCount":372,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/","url":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/","name":"PCI Compliance Conversations With A Cloud Service Provider | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2013-02-21T00:00:00+00:00","description":"One of the most fundamental points during a conversation with a cloud service provider is that one group\u2019s compliance does not assure the other\u2019s.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-conversations-with-a-cloud-service-provider\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"PCI Compliance Conversations With A Cloud Service Provider"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2284"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2284\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2284"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}