ESC
Type to search guides, tutorials, and reference documentation.
Verified by Garnet Grid

PCI DSS in Cloud Environments

Implement Payment Card Industry Data Security Standard (PCI DSS) compliance in cloud-native architectures. Covers cardholder data handling, network segmentation, encryption, and cloud-specific controls.

PCI DSS compliance in the cloud is simultaneously easier and harder than on-premises. Easier because cloud providers handle physical security, hardware lifecycle, and some network controls for you. Harder because the shared responsibility model means you need to know exactly which controls are yours, which are the provider’s, and which fall in the gap between.

PCI DSS Requirements Overview

RequirementCategoryEngineering Focus
1. Network segmentationBuild and maintain secure networkVPC design, security groups, WAF
2. Secure configurationsProtect system componentsHardened images, no defaults
3. Protect cardholder dataProtect stored dataEncryption, tokenization, masking
4. Encrypt transmissionEncrypt data in transitTLS 1.2+, certificate management
5. Anti-malwareMaintain vulnerability managementContainer scanning, endpoint protection
6. Secure developmentDevelop secure systemsSAST, DAST, code review
7. Restrict accessAccess controlRBAC, least privilege, MFA
8. Identify and authenticateAuthenticationUnique IDs, MFA, password policy
9. Physical securityRestrict physical accessCloud provider responsibility
10. Logging and monitoringTrack and monitor accessAudit logs, SIEM, alerting
11. Security testingRegular testingPen testing, vulnerability scanning
12. Security policyMaintain security policyDocumentation, training

Reducing PCI Scope with Tokenization

Without tokenization (full PCI scope):
    Customer → Your app → Your database (stores card numbers)
    → Your app, servers, databases, network ALL in PCI scope

With tokenization (minimal PCI scope):
    Customer → Stripe.js/Braintree Drop-in (card never touches your server)
    → Stripe returns token → Your app stores token only
    → Your app, servers, databases are OUT of PCI scope
Payment ApproachPCI ScopeSAQ Level
Hosted payment page (Stripe Checkout)MinimalSAQ A
iFrame embed (Stripe Elements)LowSAQ A-EP
Direct API with tokenizationMediumSAQ D
Store card data yourselfFullSAQ D (hardest)

Cloud Network Segmentation

CDE (Cardholder Data Environment) Isolation

VPC Architecture:
    ┌─────────────────────────────────────┐
    │            Public Subnet            │
    │   Load Balancer (WAF-protected)     │
    ├─────────────────────────────────────┤
    │         Application Subnet          │
    │   App servers (no card data)        │
    ├─────────────────────────────────────┤
    │           CDE Subnet                │ ← PCI scope
    │   Payment processing service        │
    │   No internet access                │
    │   Restrictive security groups       │
    ├─────────────────────────────────────┤
    │          Database Subnet            │ ← PCI scope if stores CHD
    │   Encrypted RDS/Cloud SQL           │
    │   No internet access                │
    └─────────────────────────────────────┘

Security Group Rules for CDE

DirectionSource/DestinationPortProtocolPurpose
InboundApp subnet only443HTTPSPayment API calls
InboundManagement subnet22/3389SSH/RDPAdmin access (MFA required)
OutboundPayment processor443HTTPSStripe/Braintree API
OutboundNoneAllAllDefault deny outbound

Encryption Requirements

Data StateRequirementImplementation
Card data at restAES-256, keys rotated annuallyCloud KMS + application-layer encryption
Card data in transitTLS 1.2+Enforce HTTPS, HSTS, strong cipher suites
Key managementDual control, split knowledgeCloud KMS with IAM-restricted access
PAN displayMask all but first 6 / last 4Application-level masking
PAN in logsNever log full PANLog redaction + automated scanning

Logging and Monitoring (Requirement 10)

EventLog FieldsRetention
All access to cardholder dataUser, timestamp, data accessed, action1 year (3 months immediately available)
Admin actionsUser, action, system, timestamp1 year
Authentication eventsUser, success/failure, IP, timestamp1 year
Access to audit logsUser, timestamp1 year
Changes to security configurationsUser, setting, before/after, timestamp1 year

Monitoring Alerts

AlertTriggerResponse
Multiple failed login attempts> 5 failures in 10 minInvestigate, potentially lock account
Access to CDE from new IPIP not in allowlistVerify authorization
Bulk data export> N records accessed in M minutesInvestigate potential exfiltration
Security group changeAny change to CDE security groupsVerify change was authorized

Cloud Provider Shared Responsibility

ControlAWSAzureGCPYour Responsibility
Physical securityNone
Hypervisor securityNone
Network infrastructureSecurity group configuration
OS patchingSharedSharedSharedApply patches on your VMs/containers
Application securityFull responsibility
Data encryptionTools providedTools providedTools providedConfiguration and key management
IAMTools providedTools providedTools providedPolicy configuration and review

Anti-Patterns

Anti-PatternPCI RiskFix
Card numbers in application logsPAN exposureLog redaction + automated PAN scanning
Flat network (no CDE segmentation)Entire infrastructure in PCI scopeVPC segmentation, CDE subnet isolation
Shared admin accountsNo individual accountabilityUnique IDs + MFA + audit trail
Annual vulnerability scan onlyMissed vulnerabilities between scansQuarterly scans + continuous container scanning
Storing card data “for convenience”Maximum PCI scopeUse tokenization (Stripe, Braintree)

Checklist

  • PCI scope minimized via tokenization (SAQ A or SAQ A-EP)
  • CDE network segmented with restrictive security groups
  • AES-256 encryption at rest for any stored card data
  • TLS 1.2+ enforced for all data in transit
  • Key management via cloud KMS with access controls
  • PAN masked in display (first 6 / last 4 only)
  • PAN never appears in logs (automated scanning to verify)
  • Audit logging for all CDE access (1-year retention)
  • Quarterly vulnerability scans + annual penetration test
  • MFA enforced for all CDE access
  • Cloud shared responsibility documented and controls mapped

:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For PCI compliance consulting, visit garnetgrid.com. :::

Jakub Dimitri Rezayev
Jakub Dimitri Rezayev
Founder & Chief Architect • Garnet Grid Consulting

Jakub holds an M.S. in Customer Intelligence & Analytics and a B.S. in Finance & Computer Science from Pace University. With deep expertise spanning D365 F&O, Azure, Power BI, and AI/ML systems, he architects enterprise solutions that bridge legacy systems and modern technology — and has led multi-million dollar ERP implementations for Fortune 500 supply chains.

View Full Profile →

More in Compliance & Governance

Automated Compliance Scanning

Continuously scan infrastructure and code for compliance violations. Covers policy-as-code, CIS benchmarks, automated remediation, audit evidence generation, and the patterns that shift compliance from periodic audits to continuous verification.

Read guide →

Cloud Compliance Continuous Monitoring Architecture

Production-ready guide covering cloud compliance continuous monitoring architecture with implementation patterns, code examples, and anti-patterns for enterprise engineering teams.

Read guide →

CCPA Data Engineering

Implement California Consumer Privacy Act technical requirements. Covers data discovery, consumer request automation, data deletion pipelines, opt-out mechanisms, privacy signals, and the patterns that make CCPA compliance a technical capability.

Read guide →