The PCI Security Standards Council
is a global forum for the ongoing development, enhancement, storage, dissemination, and
implementation of security standards for account data protection. The Standards Council was
established by the major credit card associations (Visa, MasterCard, American Express,
Discover, JCB) as a separate organization to define appropriate practices that merchants
and service providers should follow to protect cardholder data. It is this council of
companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).
PCI DSS is a set of network security and business
best practices guidelines
adopted by the PCI Security Standards Council to establish a “minimum security standard” to
protect customers’ payment card information. The scope of the PCI DSS includes all systems,
networks, and applications that process, store, or transmit cardholder data, and also systems
that are used to secure and log access to the systems in scope.
Google Cloud undergoes an annual third-party audit to certify individual products against the
PCI DSS. This means that these services provide an infrastructure that customers may build
their own services or applications which store, process, or transmit cardholder data.
It is important to note that customers are still responsible for ensuring that their
applications are PCI DSS compliant. To learn how to use Google Cloud Platform to implement
PCI DSS in your application, see Creating a PCI-DSS-Compliant Environment.
The following Google Cloud services have been reviewed by an independent
Qualified Security Assessor
and determined to be PCI DSS 3.2 compliant. This means that these services provide an
infrastructure upon which customers may build their own service or application which stores,
processes, or transmits cardholder data. We have created this matrix
to help explain the shared responsibility between Google and its customers.