Question 39
Domain 1: Cloud Architecture, Governance, and Risk ManagementWhich PCI DSS requirement applies specifically to cloud environments processing payment card data?
Correct answer: B
Explanation
PCI DSS requires shared responsibility to be defined when payment card data is processed in the cloud, so the entity and cloud provider know which controls each must manage. A clear delineation of PCI responsibilities ensures security requirements are assigned and implemented without gaps in the cloud environment.
Why each option is right or wrong
A. All cloud providers are automatically PCI compliant
B. Clear delineation of PCI responsibilities between the entity and cloud provider
PCI DSS v4.0, Requirement 12.8, specifically requires organizations to maintain and implement policies and procedures to manage service providers, including cloud providers, and to document the responsibilities for each PCI DSS requirement that is shared or outsourced. The cloud context matters because the standard expects the entity to identify which controls remain with the merchant/service provider and which are handled by the cloud provider, so there is no ambiguity over who secures the cardholder data environment.
C. Cloud is prohibited for any cardholder data processing
D. Annual pen testing is not required in cloud environments