The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).
PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.
Google Cloud undergoes at least an annual third-party audit to certify individual products against the PCI DSS. This means that these services provide an infrastructure upon which customers may build their own services or applications which store, process, or transmit cardholder data.
It is important to note that customers are still responsible for ensuring that their applications are PCI DSS compliant. To learn how to use Google Cloud Platform to implement PCI DSS in your application, see Creating a PCI-DSS-Compliant Environment.
The following Google Cloud services have been reviewed by an independent Qualified Security Assessor and determined to be PCI DSS 3.2 compliant. This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data. We have created this matrix to help explain the shared responsibility between Google and its customers.
How does Google Cloud support my organization’s PCI DSS compliance efforts?
We provide information on this page to help you understand how Google Cloud supports customers PCI DSS compliance. There is also a shared responsibility matrix that can help your organization understand the shared responsibility between your organization and Google, which we also recommend you review as part of your compliance efforts.
To whom does the PCI DSS apply?
The PCI-DSS standard applies to any organization no matter what size that accepts, transmits, or stores cardholder data. Google Cloud can help an organization meet their PCI DSS obligations for customers who use the proper services and implement solutions in accordance with the PCI-DSS requirements.
Does Google Cloud have an acquirer available for our solution?
An acquirer is a bank or other entity that processes payment card transactions on behalf of another organization. Google Cloud does not have an acquirer available for organizations that use Google Cloud.