0% found this document useful (0 votes)

77 views

GCP Pci Shared Responsibility Matrix Aug 2021 Compressed

This document outlines the shared responsibilities between Google Cloud Platform (GCP) and customers for complying with the Payment Card Industry Data Security Standard (PCI DSS) requirements. It specifies which PCI DSS requirements are the sole responsibility of GCP, which are the sole responsibility of customers, and which requirements involve shared responsibility. The document provides definitions and describes GCP's compliance with PCI DSS requirements that apply to its infrastructure and services.

Uploaded by

George Dalogdog

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

77 views

GCP Pci Shared Responsibility Matrix Aug 2021 Compressed

Uploaded by

George Dalogdog

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 65

Google Cloud Pla orm: PCI DSS v3.2.

1 Shared Responsibility Matrix

August 2021

For more information, visit https://cloud.google.com/security/compliance/ August 2021 1

Introduction 3
Definitions 4
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 5
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. 10
Requirement 3: Protect stored cardholder data. 13
Requirement 4: Encrypt transmission of cardholder data across open, public networks. 19
Requirement 5: Use and regularly update anti-virus software or programs. 21
Requirement 6: Develop and maintain secure systems and applications. 23
Requirement 7: Restrict access to cardholder data by business need to know. 30
Requirement 8: Identify and authenticate access to system components. 33
Requirement 9: Restrict physical access to cardholder data. 40
Requirement 10: Track and monitor all access to network resources and cardholder data. 46
Requirement 11: Regularly test security systems and processes. 53
Requirement 12: Maintain a policy that addresses information security for all personnel. 58
Appendix: Additional Requirements for Entities using SSL/early TLS 64

For more information, visit https://cloud.google.com/security/compliance/ August 2021 2

Introduction
Google Cloud Platform (GCP) was designed with security as a core design component. Google uses a variety of technologies and processes to secure information stored on Google servers. Google has performed independent validation
on Payment Card Industry Data Security Standard (PCI DSS) requirements that apply to GCP technologies and infrastructure managed by Google. Google offers customers a great deal of control over their instances running on Google’s
infrastructure. Google does not control security on the operating system, packages or applications that are deployed by customers on GCP. It is the customer’s responsibility to comply with the requirements of PCI DSS that relate to
operating systems packages and applications deployed by customer, or to customer’s conﬁgurations in multi-cloud or hybrid cloud models outside the GCP boundary. GCP adheres to the PCI DSS requirements set forth for a level 1
Service Provider. This document outlines each requirement that Google complies with on behalf of customers that use GCP to deliver PCI-compliant products and services. If a requirement is not included in this document, that indicates
that GCP is not performing the requirement on behalf of its clients. With respect to the cloud hosting services which GCP delivers to its customers, responsibility for the various requirements associated with PCI DSS varies. Some
requirements are the sole responsibility of GCP, some requirements are the sole responsibility of the customer, and some requirements are a shared responsibility between both parties. GCP’s support for PCI DSS does not apply to
customer’s activities outside the GCP boundary. We recommend that customers reference the responsibility matrix in this document as they pursue PCI compliance and ﬁnd it a useful tool when conducting their own PCI audits.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 3

Deﬁnitions

Term Description

Google The service provider

Google Cloud Platform (GCP) responsibility The requirement in question is the responsibility of, and implemented by, Google. A Qualiﬁed Security Assessor has assessed and validated these requirements and
found GCP to be compliant with PCI-DSS v3.2.1. These requirements, which support the Customer’s PCI-DSS efforts but the Customer cannot manage directly, are the sole
responsibility of GCP

Customer responsibility The requirement in question is the responsibility of, and implemented by, the customer. These requirements were not applicable to Google Cloud services as they are
designed and these are the customer responsibilities. Customers of GCP bear sole responsibility to meet their own PCI DSS compliance for these requirements.

Shared responsibility Both the customer and Google are responsible for implementing parts of the requirement. A Qualiﬁed Security Assessor has assessed and validated these speciﬁc
requirements and found GCP to be compliant with PCI-DSS v3.2.1. However, Customers of GCP share some responsibility and must take action in order to meet their own
PCI DSS compliance for these requirements.

Service Provider The Service Provider, as deﬁned by the requirement, is Google

POS Point of Sale

PCI DSS Payment Card Industry Data Security Standard

For more information, visit https://cloud.google.com/security/compliance/ August 2021 4

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google Responsibility Summary
App Engine Cloud Armor Archive Access Transparency
Bare Metal Cloud NAT Storage Assured Workloads
Compute Engine Hybrid Connectivity Cloud Storage Binary Authorization
Cloud Run Network Intelligence Center Filestore Chronicle
Preemptible VMs Network Telemetry Local SSD Cloud Asset Inventory
Shielded VMs Service Directory Persistent Cloud Data Loss Prevention
Traﬃc Director Disk Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls

Identity and Access

Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active
Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 1: Install and maintain a ﬁrewall

configuration to protect cardholder data
1.1 Establish and implement firewall and router configuration x x Customers are responsible for formalizing Customers are responsible for formalizing Not Customers are responsible for formalizing Google’s internal production network
standards that include the following: change control processes around approval change control processes around approval Applicable change control processes around approval and systems have been assessed
and testing of network connections, i.e. GCP and testing of network connections, i.e. GCP and testing of network connections, i.e. against and comply with this
firewall rules that impact their VPC and GCE. firewall rules that impact their VPC and GCE. GCP firewall rules that impact their VPC requirement.
and GCE.
1.1.1 A formal process for approving and testing all network x x Customers are responsible for formalizing Customers are responsible for formalizing Not Customers are responsible for formalizing Google’s internal production network
connections and changes to the firewall and router change control processes around approval change control processes around approval Applicable change control processes around approval and systems have been assessed
configurations. and testing of network connections, i.e. GCP and testing of network connections, i.e. GCP and testing of network connections, i.e. against and comply with this
firewall rules that impact their VPC and GCE. firewall rules that impact their VPC and GCE. GCP firewall rules that impact their VPC requirement.
and GCE.
1.1.2 Current network diagram that identifies all connections x Customers are responsible for maintaining Customers are responsible for maintaining Not Customers are responsible for maintaining Not Applicable
between the cardholder data environment and other their own network diagrams specific to their their own network diagrams specific to their Applicable their own network diagrams specific to
networks, including any wireless networks. CDE that identify all connections between CDE that identify all connections between their CDE that identify all connections
their CDE and any other networks. their CDE and any other networks. between their CDE and any other
networks.

1.1.3 Current diagram that shows all cardholder data flows x Customers are responsible for maintaining Customers are responsible for maintaining Not Customers are responsible for maintaining Not Applicable
across systems and networks. their own dataflow diagrams specific to their their own dataflow diagrams specific to their Applicable their own dataflow diagrams specific to
CDE. CDE. their CDE.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 5

1.1.4 Requirements for a firewall at each Internet connection x x GCP customers implementing GCE are GCP customers implementing GCE are Not GCP customers implementing GCE are Firewalls that comply with this
and between any demilitarized zone (DMZ) and the internal responsible for implementing perimeter responsible for implementing perimeter Applicable responsible for implementing perimeter requirement have been implemented by
network zone. firewalls and configuring security groups and firewalls and configuring security groups and firewalls and configuring security groups Google to control access to the Google
ACLs through any API's and other user ACLs through any API's and other user and ACLs through any API's and other user production network and to GCP
interfaces for their in-scope services. interfaces for their in-scope services. interfaces for their in-scope services. products and services implemented by
GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google.
developing appropriate firewall rules or using developing appropriate firewall rules or using developing appropriate firewall rules or
additional firewall technologies to develop additional firewall technologies to develop using additional firewall technologies to
appropriate DMZ and internal networks. appropriate DMZ and internal networks. develop appropriate DMZ and internal
GCP customers are responsible for reviewing GCP customers are responsible for reviewing networks.
the connectivity models and exposure of the connectivity models and exposure of GCP customers are responsible for
their GCE instances to these data stores, for their GCE instances to these data stores, for reviewing the connectivity models and
ensuring that appropriate zones are created, ensuring that appropriate zones are created, exposure of their GCE instances to these
and that access mechanisms to the data and that access mechanisms to the data data stores, for ensuring that appropriate
stores that have cardholder data are not stores that have cardholder data are not zones are created, and that access
directly exposed to the Internet. directly exposed to the Internet. mechanisms to the data stores that have
cardholder data are not directly exposed
to the Internet.
1.1.5 Description of groups, roles, and responsibilities for x x Customers are responsible for defining Customers are responsible for defining Not Customers are responsible for defining Google’s internal production network
management of network components. responsibilities for management of GCP responsibilities for management of GCP Applicable responsibilities for management of GCP and systems have been assessed
firewall rules and any other network firewall rules and any other network firewall rules and any other network against and comply with this
configurations. configurations. configurations. requirement.
1.1.6 Documentation of business justification and approval x x Customers are responsible for documenting Customers are responsible for documenting Not Customers are responsible for Firewalls that comply with this
for use of all services, protocols, and ports allowed, including and justifying the GCP firewall rules for each and justifying the GCP firewall rules for each Applicable documenting and justifying the GCP requirement have been implemented by
documentation of security features implemented for those inbound/outbound rule. Customers are inbound/outbound rule. Customers are firewall rules for each inbound/outbound Google to control access to the Google
protocols considered to be insecure. responsible for documenting ports and responsible for documenting ports and rule. Customers are responsible for production network and to GCP
protocols in use, with justification for protocols in use, with justification for documenting ports and protocols in use, products and services implemented by
inbound/outbound rules in place. inbound/outbound rules in place. with justification for inbound/outbound Google.
Customers are responsible for identifying Customers are responsible for identifying rules in place.
insecure services and implementing insecure services and implementing Customers are responsible for identifying
appropriate controls and security features to appropriate controls and security features to insecure services and implementing
limit the risk of the protocols from being limit the risk of the protocols from being appropriate controls and security features
used. used. to limit the risk of the protocols from being
used.
1.1.7 Requirement to review firewall and router rule sets at x x Customers are responsible for performing Customers are responsible for performing Not Customers are responsible for performing Firewalls that comply with this
least every six months. bi-annual firewall reviews of their virtual bi-annual firewall reviews of their virtual Applicable bi-annual firewall reviews of their virtual requirement have been implemented by
firewalls and other network technology and firewalls and other network technology and firewalls and other network technology Google to control access to the Google
services that are used to filter traffic into the services that are used to filter traffic into the and services that are used to filter traffic production network and to GCP
CDE. This includes but may not be limited to CDE. This includes but may not be limited to into the CDE. This includes but may not be products and services implemented by
GCE and GCS, and GCP VPC firewall rules. GCE and GCS, and GCP VPC firewall rules. limited to GCE and GCS, and GCP VPC Google.
firewall rules.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 6

1.2 Build firewall and router configurations that restrict x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
connections between untrusted networks and any system firewall rules and limiting ingress and egress firewall rules and limiting ingress and egress Applicable implementing GCP firewall rules and requirement have been implemented by
components in the cardholder data environment. traffic to defined ports and protocols traffic to defined ports and protocols and limiting inbound/outbound traffic to only Google to control access to the Google
necessary for GCE instances and denying all denying all other traffic. Customers must business justified and necessary traffic. production network and to GCP
other traffic. implement defined networks and not the Customers must define explicit GCP products and services implemented by
default network with pre-configured rules and firewall rules and deny all other traffic. Google.
utilize secure ports and protocols as well as Customers are responsible for verifying
restricting inbound/outbound connectivity to inbound and outbound traffic for their CDE
that which is necessary and deny-all other which includes GCP GCE and GCS, and
traffic. GCP VPCs. Customers are responsible for
denying any traffic that is not explicitly
required for the GCP Product to function.
1.2.1 Restrict inbound and outbound traffic to that which is x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
necessary for the cardholder data environment, and GCP firewall rules and limiting GCP firewall rules and limiting Applicable implementing GCP firewall rules and requirement have been implemented by
specifically deny all other traffic. inbound/outbound traffic to only business inbound/outbound traffic to only business limiting inbound/outbound traffic to only Google to control access to the Google
justified and necessary traffic. Customers justified and necessary traffic. Customers business justified and necessary traffic. production network and to GCP
must define explicit GCP firewall rules and must define explicit GCP firewall rules and Customers must define explicit GCP products and services implemented by
deny all other traffic. Customers are deny all other traffic. Customers are firewall rules and deny all other traffic. Google.
responsible for verifying inbound and responsible for verifying inbound and Customers are responsible for verifying
outbound traffic for their CDE which includes outbound traffic for their CDE which includes inbound and outbound traffic for their CDE
GCP GCE and GCS, and GCP VPCs. GCP GCE and GCS, and GCP VPCs. which includes GCP GCE and GCS, and
Customers are responsible for denying any Customers are responsible for denying any GCP VPCs. Customers are responsible for
traffic that is not explicitly required for the traffic that is not explicitly required for the denying any traffic that is not explicitly
GCP Product to function. GCP Product to function. required for the GCP Product to function.
1.2.2 Secure and synchronize router configuration files. x Not Applicable Not Applicable Not Not Applicable Google’s internal production network
Applicable and systems have been assessed
against and comply with this
requirement. Customers using GCP can
rely on the GCP AOC for router
configuration security and
synchronization.
1.2.3 Install perimeter firewalls between all wireless x x Customers that use wireless networks are Customers that use wireless networks are Not Customers that use wireless networks are GCP maintains the perimeter firewalls
networks and the cardholder data environment, and responsible for isolating their cardholder data responsible for isolating their cardholder data Applicable responsible for isolating their cardholder and controls traffic between wireless
configure these firewalls to deny or, if traffic is necessary for environment from those wireless networks. environment from those wireless networks. data environment from those wireless networks and systems in GCP data
business purposes, permit only authorized traffic between networks. centers.
the wireless environment and the cardholder data
environment.
1.3 Prohibit direct public access between the Internet and x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
any system component in the cardholder data environment. firewall rules and limiting ingress traffic to firewall rules and limiting ingress traffic to Applicable implementing perimeter firewalls and requirement have been implemented by
defined ports and protocols necessary for defined ports and protocols and denying all configuring firewall rules and ACLs for Google to control access to the Google
GCE instances within their DMZ. other traffic. Customers must implement their in-scope GCP Products. production network and to GCP
defined networks and not the default network Customers are responsible for developing products and services implemented by
with pre-configured rules and utilize secure appropriate firewall rules or using Google.
ports and protocols as well as restricting additional firewall technologies to develop
inbound/outbound connectivity to that which appropriate DMZ and internal networks.
is necessary and deny-all other traffic.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 7

1.3.1 Implement a DMZ to limit inbound traffic to only x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
system components that provide authorized publicly firewall rules and limiting ingress traffic to firewall rules and limiting ingress traffic to Applicable implementing perimeter firewalls and requirement have been implemented by
accessible services, protocols, and ports. defined ports and protocols necessary for defined ports and protocols and denying all configuring firewall rules and ACLs for Google to control access to the Google
GCE instances within their DMZ. other traffic. Customers must implement their in-scope GCP Products. production network and to GCP
defined networks and not the default network Customers are responsible for developing products and services implemented by
with pre-configured rules and utilize secure appropriate firewall rules or using Google.
ports and protocols as well as restricting additional firewall technologies to develop
inbound/outbound connectivity to that which appropriate DMZ and internal networks.
is necessary and deny-all other traffic.
1.3.2 Limit inbound Internet traffic to IP addresses within the x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
DMZ. firewall rules and limiting ingress traffic to firewall rules and limiting ingress traffic to Applicable implementing perimeter firewalls and requirement have been implemented by
defined ports and protocols necessary for defined ports and protocols and denying all configuring firewall rules and ACLs for Google to control access to the Google
GCE instances within their DMZ. other traffic. Customers must implement their in-scope GCP Products. production network and to GCP
defined networks and not the default network Customers are responsible for developing products and services implemented by
with pre-configured rules and utilize secure appropriate firewall rules or using Google.
ports and protocols as well as restricting additional firewall technologies to develop
inbound/outbound connectivity to that which appropriate DMZ and internal networks.
is necessary and deny-all other traffic.
1.3.3 Implement anti-spoofing measures to detect and block x Not Applicable Not Applicable Not Not Applicable GCP firewalls perform anti-spoofing by
forged source IP addresses from entering the network. Applicable default. As such, customers can rely on
the GCP AOC for compliance with
anti-spoofing controls.
1.3.4 Do not allow unauthorized outbound traffic from the x x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Firewalls that comply with this
cardholder data environment to the Internet. perimeter firewalls and configuring firewall perimeter firewalls and configuring firewall Applicable implementing perimeter firewalls and requirement have been implemented by
rules and ACLs for their in-scope GCP rules and ACLs for their in-scope GCP configuring firewall rules and ACLs for Google to control access to the Google
Products. Products. their in-scope GCP Products. production network and to GCP
Customers are responsible for developing Customers are responsible for developing Customers are responsible for developing products and services implemented by
appropriate firewall rules or using additional appropriate firewall rules or using additional appropriate firewall rules or using Google.
firewall technologies to develop appropriate firewall technologies to develop appropriate additional firewall technologies to develop
DMZ and internal networks. DMZ and internal networks. appropriate DMZ and internal networks.
1.3.5 Permit only “established” connections into the network. x Not Applicable Not Applicable Not Not Applicable GCP firewalls perform stateful packet
Applicable inspection by default and customers
can rely on the GCP AOC for compliance
with stateful packet inspection controls.
1.3.6 Place system components that store cardholder data x Customers are responsible for developing Customers are responsible for developing Not Customers are responsible for developing Not Applicable
(such as a database) in an internal network zone, segregated appropriate firewall rules or using additional appropriate firewall rules or using additional Applicable appropriate firewall rules or using
from the DMZ and other untrusted networks. firewall technologies to develop appropriate firewall technologies to develop appropriate additional firewall technologies to develop
internal networks and ensure that any internal networks and ensure that any appropriate internal networks and ensure
systems storing CHD are located within systems storing CHD are located within that any systems storing CHD are located
private internal networks. private internal networks. within private internal networks.
1.3.7 Do not disclose private IP addresses and routing x x Customers are responsible for developing Customers are responsible for developing Not Customers are responsible for developing Google has PCI DSS compliance
information to unauthorized parties. appropriate configuration on GCP GCE to appropriate configuration on GCP GCE to Applicable appropriate configuration on GCP GCE to responsibility for dedicated internal
prevent the disclosure of IP Addresses and prevent the disclosure of IP Addresses and prevent the disclosure of IP Addresses Google Production and management
routing information. routing information. and routing information. network systems. For computer
resources that are provided by Google to
customers as part of a customer's GCP
project, the PCI compliance of those
resources is the customer’s
responsibility.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 8

1.4 Install personal firewall software or equivalent x Customers are responsible for implementing Customers are responsible for implementing Not Customers are responsible for Not Applicable
functionality on any portable computing devices (including personal firewall rules for systems with direct personal firewall rules for systems with direct Applicable implementing personal firewall rules for
company and/or employee-owned) that connect to the connectivity to the Internet for systems used connectivity to the Internet for systems used systems with direct connectivity to the
Internet when outside the network (for example, laptops to manage the CDE within GCP. to manage the CDE within GCP. Internet for systems used to manage the
used by employees), and which are also used to access the CDE within GCP.
CDE.
1.5 Ensure that security policies and operational procedures x Customers are responsible for ensuring that Customers are responsible for ensuring that Not Customers are responsible for ensuring Not Applicable
for managing firewalls are documented, in use, and known to their policies and procedures are their policies and procedures are Applicable that their policies and procedures are
all affected parties. documented and known to all affected documented and known to all affected documented and known to all affected
parties. parties. parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 9

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google Responsibility
App Engine Cloud Armor Archive Storage Access Transparency Summary
Bare Metal Cloud NAT Cloud Storage Assured Workloads
Compute Engine Hybrid Connectivity Filestore Binary Authorization
Cloud Run Network Intelligence Center Local SSD Chronicle
Preemptible VMs Network Telemetry Persistent Disk Cloud Asset Inventory
Shielded VMs Service Directory Cloud Data Loss Prevention
Traﬃc Director Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls

Identity and Access

Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active
Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 2: Do not use vendor-supplied defaults for

system passwords and other security parameters.
2.1 Always change vendor-supplied defaults and remove or x x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Google has PCI DSS
disable unnecessary default accounts before installing a changing vendor-supplied defaults on changing vendor-supplied defaults on changing vendor-supplied defaults on changing vendor-supplied defaults on
compliance responsibility
system on the network. GCP products as applicable deployed GCP products as applicable deployed GCP products as applicable deployed GCP products as applicable deployed
for dedicated internal
within the customers CDE. within the customers CDE. within the customers CDE. within the customers CDE. Google Production and
management network
systems.
2.1.1 For wireless environments connected to the cardholder x GCP does not host any wireless GCP does not host any wireless GCP does not host any wireless GCP does not host any wireless Not Applicable.
data environment or transmitting cardholder data, change networks that transmit cardholder networks that transmit cardholder networks that transmit cardholder networks that transmit cardholder No wireless networks are
ALL wireless vendor defaults at installation, including but not data. Customers are responsible for data. Customers are responsible for data. Customers are responsible for data. Customers are responsible for connected to the
limited to default wireless encryption keys, passwords, and management of their networks, management of their networks, management of their networks, management of their networks, Cardholder Data
SNMP community strings. including those with wireless including those with wireless including those with wireless including those with wireless Environment relating to
connectivity. connectivity. connectivity. connectivity. GCP.
2.2 Develop configuration standards for all system x x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Google has implemented
components. Assure that these standards address all known documenting, developing and documenting, developing and documenting, developing and documenting, developing and configuration standards
security vulnerabilities and are consistent with implementing configuration standards implementing configuration standards implementing configuration standards implementing configuration standards for the infrastructure
industry-accepted system hardening standards. for the GCP products in use that are for the GCP products in use that are for the GCP products in use that are for the GCP products in use that are underlying GCP products
within the CDE. This includes within the CDE. This includes within the CDE. This includes within the CDE. This includes in scope that comply with
Sources of industry-accepted system hardening standards configuration standards for GCE, VPC, configuration standards for GCE, VPC, configuration standards for GCE, VPC, configuration standards for GCE, VPC, this PCI DSS requirement .
may include, but are not limited to: and GCS based on industry standards and GCS based on industry standards and GCS based on industry standards and GCS based on industry standards
• Center for Internet Security (CIS) and hardening guidelines. and hardening guidelines. and hardening guidelines. and hardening guidelines.
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).

For more information, visit https://cloud.google.com/security/compliance/ August 2021 10

2.2.1 Implement only one primary function per server to x x Customers are responsible for Customers are responsible for Not Applicable Customers are responsible for Google has implemented
prevent functions that require different security levels from ensuring that only one primary ensuring that only one primary ensuring that only one primary configuration standards
co-existing on the same server. (For example, web servers, function is implemented per function is implemented per function is implemented per for the infrastructure
database servers, and DNS should be implemented on customer-managed GCP products. customer-managed GCP products. customer-managed GCP products. underlying GCP products
separate servers.) in scope that comply with
this PCI DSS requirement .
Note: Where virtualization technologies are in use, implement
only one primary function per virtual system component.
2.2.2 Enable only necessary services, protocols, daemons, x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has implemented
etc., as required for the function of the system. documenting the functional and documenting the functional and documenting the functional and documenting the functional and configuration standards
security configuration standards of security configuration standards of security configuration standards of security configuration standards of for the infrastructure
GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to underlying GCP products
ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed in scope that comply with
for the service can be maintained. for the service can be maintained. for the service can be maintained. for the service can be maintained. this PCI DSS requirement .
2.2.3 Implement additional security features for any required x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable. The GCP
services, protocols, or daemons that are considered to be documenting, developing and documenting, developing and documenting, developing and documenting, developing and product does not
insecure. implementing configuration standards, implementing configuration standards, implementing configuration standards, implementing configuration standards, implement services,
including additional features required including additional features required including additional features required including additional features required protocols or daemons
for any insecure service, protocol, for any insecure service, protocol, for any insecure service, protocol, for any insecure service, protocol, deemed insecure.
daemon, etc. employed on the GCP daemon, etc. employed on the GCP daemon, etc. employed on the GCP daemon, etc. employed on the GCP
products deployed within the CDE. products deployed within the CDE. products deployed within the CDE. products deployed within the CDE.
2.2.4 Configure system security parameters to prevent x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has implemented
misuse. documenting the functional and documenting the functional and documenting the functional and documenting the functional and configuration standards
security configuration standards of security configuration standards of security configuration standards of security configuration standards of for the infrastructure
GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to underlying GCP products
ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed in scope that comply with
for the service can be maintained. for the service can be maintained. for the service can be maintained. for the service can be maintained. this PCI DSS requirement .
2.2.5 Remove all unnecessary functionality, such as scripts, x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has implemented
drivers, features, subsystems, file systems, and unnecessary documenting the functional and documenting the functional and documenting the functional and documenting the functional and configuration standards
web servers. security configuration standards of security configuration standards of security configuration standards of security configuration standards of for the infrastructure
GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to GCP services used within the CDE to underlying GCP products
ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed ensure that the secure state designed in scope that comply with
for the service can be maintained. for the service can be maintained. for the service can be maintained. for the service can be maintained. this PCI DSS requirement .
2.3 Encrypt all non-console administrative access using x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has implemented
strong cryptography. ensuring secure communication for ensuring secure communication for ensuring secure communication for ensuring secure communication for controls for secure
administrative access to the server administrative access to the server administrative access to the server administrative access to the server administrative access for
instances including Windows Remote instances including Windows Remote instances including Windows Remote instances including Windows Remote the in-scope production
Desktop (RDP) using “High Encryption” Desktop (RDP) using “High Encryption” Desktop (RDP) using “High Encryption” Desktop (RDP) using “High Encryption” infrastructure underlying
or “FIPS compatible” encryption or “FIPS compatible” encryption or “FIPS compatible” encryption or “FIPS compatible” encryption GCP.
settings or SSH v2 or above and settings or SSH v2 or above and settings or SSH v2 or above and settings or SSH v2 or above and
appropriate SSH keys. appropriate SSH keys. appropriate SSH keys. appropriate SSH keys.
2.4 Maintain an inventory of system components that are in x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
scope for PCI DSS. maintaining an inventory of GCP GCE maintaining an inventory of GCP GCE maintaining an inventory of GCP GCE maintaining an inventory of GCP GCE
instances that are in scope for their instances that are in scope for their instances that are in scope for their instances that are in scope for their
compliance. compliance. compliance. compliance.
2.5 Ensure that security policies and operational procedures x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
for managing vendor defaults and other security parameters ensuring that their policies and ensuring that their policies and ensuring that their policies and ensuring that their policies and
are documented, in use, and known to all affected parties. procedures are documented and procedures are documented and procedures are documented and procedures are documented and
known to all affected parties. known to all affected parties. known to all affected parties. known to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 11

2.6 Shared hosting providers must protect each entity’s x Customers may also be considered a Customers may also be considered a Customers may also be considered a Customers may also be considered a Not Applicable
hosted environment and cardholder data. These providers shared hosting provider, if they run shared hosting provider, if they run shared hosting provider, if they run shared hosting provider, if they run
must meet speciﬁc requirements as detailed in Appendix A1: applications or store data for their applications or store data for their applications or store data for their applications or store data for their
Additional PCI DSS Requirements for Shared Hosting customers. In this case, customers are customers. In this case, customers are customers. In this case, customers are customers. In this case, customers are
Providers. responsible for protecting their responsible for protecting their responsible for protecting their responsible for protecting their
customer’s data within GCP services. customer’s data within GCP services. customer’s data within GCP services. customer’s data within GCP services.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 12

Requirement 3: Protect stored cardholder data.

3.1 Keep cardholder data storage to a minimum by x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
implementing data retention and disposal policies, maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
procedures and processes that include at least the following policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
for all cardholder data (CHD) storage: maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
• Limiting data storage amount and retention time to that (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.
which is required for legal, regulatory, and/or business
requirements
• Speciﬁc retention requirements for cardholder data
• Processes for secure deletion of data when no longer
needed
• A quarterly process for identifying and securely deleting
stored cardholder data that exceeds deﬁned retention.
3.2 Do not store sensitive authentication data after x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
authorization (even if encrypted). If sensitive authentication maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
data is received, render all data unrecoverable upon policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
completion of the authorization process. maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
(PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 13

3.2.1 Do not store the full contents of any track (from the x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
magnetic stripe located on the back of a card, equivalent maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
data contained on a chip, or elsewhere) after authorization. policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
This data is alternatively called full track, track, track 1, track maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
2, and magnetic-stripe data. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.

Note: In the normal course of business, the following data

elements from the magnetic stripe may need to be retained:
• The cardholder’s name
• Primary account number (PAN)
• Expiration date
• Service code
To minimize risk, store only these data elements as needed
for business.
3.2.2 Do not store the card verification code or value x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
(three-digit or four-digit number printed on the front or back maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
of a payment card used to verify card-not-present policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
transactions) after authorization. maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
(PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.
3.2.3 Do not store the personal identification number (PIN) or x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
the encrypted PIN block after authorization. maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
(PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.
3.3 Mask PAN when displayed (the first six and last four x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable
digits are the maximum number of digits to be displayed), maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
such that only personnel with a legitimate business need can policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for policies, procedures, and processes for
see more than the first six/last four digits of the PAN. maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard maintaining PCI Data Security Standard
(PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements. (PCI DSS) requirements.
Note: This requirement does not supersede stricter
requirements in place for displays of cardholder data—for
example, legal or payment card brand requirements for
point-of-sale (POS) receipts.
3.4 Render PAN unreadable anywhere it is stored (including x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for Not Applicable
on portable digital media, backup media, and in logs) by maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
using any of the following approaches: policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption
• One-way hashes based on strong cryptography, (hash must technologies and key management technologies and key management technologies and key management
be of the entire PAN) processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS
• Truncation (hashing cannot be used to replace the requirements. requirements. requirements.
truncated segment of PAN) Customers are responsible for the
• Index tokens and pads (pads must be securely stored) creation, usage, and management of
• Strong cryptography with associated key-management customer encryption keys in
processes and procedures. accordance with PCI DSS controls for
these GCP Products.
Note: It is a relatively trivial effort for a malicious individual to
reconstruct original PAN data if they have access to both the
truncated and hashed version of a PAN. Where hashed and
truncated versions of the same PAN are present in an entity’s
environment, additional controls must be in place to ensure
that the hashed and truncated versions cannot be correlated
to reconstruct the original PAN.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 14

3.4.1 If disk encryption is used (rather than ﬁle- or x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for Not Applicable
column-level database encryption), logical access must be maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
managed separately and independently of native operating policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption
system authentication and access control mechanisms (for technologies and key management technologies and key management technologies and key management
example, by not using local user account databases or processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS
general network login credentials). Decryption keys must not requirements. requirements. requirements.
be associated with user accounts. Customers are responsible for the
creation, usage, and management of
Note: This requirement applies in addition to all other PCI DSS customer encryption keys in
encryption and key-management requirements. accordance with PCI DSS controls for
these GCP Products.
3.5 Document and implement procedures to protect keys x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for For customers using
used to secure stored cardholder data against disclosure maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Cloud Key Management
and misuse. policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption System (KMS) or Cloud
technologies and key management technologies and key management technologies and key management Hardware Security
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS Module (HSM), Google
requirements. requirements. requirements. has PCI DSS compliance
Customers are responsible for the responsibility for
creation, usage, and management of dedicated internal Google
customer encryption keys in Production and
accordance with PCI DSS controls for management network
these GCP Products. systems.
3.5.1 Additional requirement for service providers only: x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for For customers using
Maintain a documented description of the cryptographic maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Cloud Key Management
architecture that includes: policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption System (KMS) or Cloud
• Details of all algorithms, protocols, and keys used for the technologies and key management technologies and key management technologies and key management Hardware Security
protection of cardholder data, including key strength and processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS Module (HSM), Google
expiry date requirements. requirements. requirements. has PCI DSS compliance
• Description of the key usage for each key. Customers are responsible for the responsibility for
• Inventory of any HSMs and other SCDs used for key creation, usage, and management of dedicated internal Google
management customer encryption keys in Production and
accordance with PCI DSS controls for management network
these GCP Products. systems.
3.5.2 Restrict access to cryptographic keys to the fewest x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for For customers using
number of custodians necessary. maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Cloud Key Management
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption System (KMS) or Cloud
technologies and key management technologies and key management technologies and key management Hardware Security
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS Module (HSM), Google
requirements. requirements. requirements. has PCI DSS compliance
Customers are responsible for the responsibility for
creation, usage, and management of dedicated internal Google
customer encryption keys in Production and
accordance with PCI DSS controls for management network
these GCP Products. systems.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 15

3.5.3 Store secret and private keys used to encrypt/decrypt x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for For customers using
cardholder data in one (or more) of the following forms at all maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Cloud Key Management
times: policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption System (KMS) or Cloud
• Encrypted with a key-encrypting key that is at least as technologies and key management technologies and key management technologies and key management Hardware Security
strong as the data-encrypting key, and that is stored processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS Module (HSM), Google
separately from the data-encrypting key requirements. requirements. requirements. has PCI DSS compliance
• Within a secure cryptographic device (such as a hardware Customers are responsible for the responsibility for
(host) security module (HSM) or PTS-approved creation, usage, and management of dedicated internal Google
point-of-interaction device) customer encryption keys in Production and
• As at least two full-length key components or key shares, in accordance with PCI DSS controls for management network
accordance with an industry-accepted method these GCP Products. systems.

Note: It is not required that public keys be stored in one of

these forms.
3.5.4 Store cryptographic keys in the fewest possible x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for For customers using
locations. maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Cloud Key Management
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption System (KMS) or Cloud
technologies and key management technologies and key management technologies and key management Hardware Security
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS Module (HSM), Google
requirements. requirements. requirements. has PCI DSS compliance
Customers are responsible for the responsibility for
creation, usage, and management of dedicated internal Google
customer encryption keys in Production and
accordance with PCI DSS controls for management network
these GCP Products. systems.
3.6 Fully document and implement all key-management x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
processes and procedures for cryptographic keys used for maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
encryption of cardholder data, including the following: policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
technologies and key management technologies and key management technologies and key management Security Module (HSM)
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.1 Generation of strong cryptographic keys x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
technologies and key management technologies and key management technologies and key management Security Module (HSM)
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 16

3.6.2 Secure cryptographic key distribution x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
technologies and key management technologies and key management technologies and key management Security Module (HSM)
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.3 Secure cryptographic key storage x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
technologies and key management technologies and key management technologies and key management Security Module (HSM)
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.4 Cryptographic key changes for keys that have reached x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
the end of their cryptoperiod (for example, after a defined maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
period of time has passed and/or after a certain amount of policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
cipher-text has been produced by a given key), as defined by technologies and key management technologies and key management technologies and key management Security Module (HSM)
the associated application vendor or key owner, and based processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
on industry best practices and guidelines (for example, NIST requirements. requirements. requirements. management procedures
Special Publication 800-57). Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.5 Retirement or replacement (for example, archiving, x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
destruction, and/or revocation) of keys as deemed necessary maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
when the integrity of the key has been weakened (for policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
example, departure of an employee with knowledge of a technologies and key management technologies and key management technologies and key management Security Module (HSM)
clear-text key component), or keys are suspected of being processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
compromised. requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
Note: If retired or replaced cryptographic keys need to be creation, usage, and management of PCI DSS compliant.
retained, these keys must be securely archived (for example, customer encryption keys in
by using a key-encryption key). Archived cryptographic keys accordance with PCI DSS controls for
should only be used for decryption/verification purposes. these GCP Products.
3.6.6 If manual clear-text cryptographic key-management x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for Google does not use clear
operations are used, these operations must be managed maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention text cryptographic key
using split knowledge and dual control. policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption management. This is a
technologies and key management technologies and key management technologies and key management customer responsibility.
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS
requirements. requirements. requirements.
Customers are responsible for the

For more information, visit https://cloud.google.com/security/compliance/ August 2021 17

creation, usage, and management of
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.7 Prevention of unauthorized substitution of x x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for The Cloud Key
cryptographic keys. maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention Management System
policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption (KMS) or Cloud Hardware
technologies and key management technologies and key management technologies and key management Security Module (HSM)
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS service has internal key
requirements. requirements. requirements. management procedures
Customers are responsible for the that are validated to be
creation, usage, and management of PCI DSS compliant.
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.6.8 Requirement for cryptographic key custodians to x Customers are responsible for Not Applicable Customers are responsible for Customers are responsible for Not Applicable
formally acknowledge that they understand and accept their maintaining appropriate data retention maintaining appropriate data retention maintaining appropriate data retention
key-custodian responsibilities. policies and procedures, encryption policies and procedures, encryption policies and procedures, encryption
technologies and key management technologies and key management technologies and key management
processes for maintaining PCI DSS processes for maintaining PCI DSS processes for maintaining PCI DSS
requirements. requirements. requirements.
Customers are responsible for the
creation, usage, and management of
customer encryption keys in
accordance with PCI DSS controls for
these GCP Products.
3.7 Ensure that security policies and operational procedures x Customers are responsible for ensuring Customers are responsible for ensuring Customers are responsible for ensuring Customers are responsible for ensuring Not Applicable
for protecting stored cardholder data are documented, in that their policies and procedures are that their policies and procedures are that their policies and procedures are that their policies and procedures are
use, and known to all affected parties. documented and known to all affected documented and known to all affected documented and known to all affected documented and known to all affected
parties. parties. parties. parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 18

Requirement 4: Encrypt transmission of cardholder data

across open, public networks.
4.1 Use strong cryptography and security protocols to x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has implemented
safeguard sensitive cardholder data during transmission strong cryptography and security strong cryptography and security strong cryptography and security strong cryptography and security configuration standards
over open, public networks, including the following: protocols for connections to any storage protocols for connections to any storage protocols for connections to any storage protocols for connections to any storage that comply with
• Only trusted keys and certificates are accepted. system that is transmitting cardholder system that is transmitting cardholder system that is transmitting cardholder system that is transmitting cardholder requirements in section
• The protocol in use only supports secure versions or data. Customers are responsible for data. Customers are responsible for data. Customers are responsible for data. Customers are responsible for 4.1 for the infrastructure
configurations. ensuring the data is encrypted in transit ensuring the data is encrypted in transit ensuring the data is encrypted in transit ensuring the data is encrypted in transit underlying GCP products
• The encryption strength is appropriate for the encryption over open, public networks. over open, public networks. over open, public networks. over open, public networks. in scope for PCI.
methodology in use.

Examples of open, public networks include but are not limited

to:
• The Internet
• Wireless technologies, including 802.11 and Bluetooth
• Cellular technologies, for example, Global System for Mobile
communications (GSM), Code division multiple access
(CDMA)
• General Packet Radio Service (GPRS).
• Satellite communications.
4.1.1 Ensure wireless networks transmitting cardholder data x Customers are responsible for Customers are responsible for Customers are responsible for Customers are responsible for Not Applicable.
or connected to the cardholder data environment, use management of their networks, including management of their networks, including management of their networks, including management of their networks, including Any transmission of
industry best practices to implement strong encryption for those with wireless connectivity. those with wireless connectivity. those with wireless connectivity. those with wireless connectivity. Cardholder Data over
authentication and transmission. wireless networks is
Customer responsibility.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 19

4.2 Never send unprotected PANs by end-user messaging x x GCP customers are responsible for the GCP customers are responsible for the GCP customers are responsible for the GCP customers are responsible for the Google has implemented
technologies (for example, e-mail, instant messaging, SMS, use of any end-user messaging use of any end-user messaging use of any end-user messaging use of any end-user messaging conﬁguration standards
chat, etc.). technologies for transmitting PAN. technologies for transmitting PAN. technologies for transmitting PAN. technologies for transmitting PAN. that comply with
requirements in section
4.2 for the infrastructure
underlying GCP products
in scope for PCI.
4.3 Ensure that security policies and operational procedures x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Not Applicable.
for encrypting transmissions of cardholder data are ensuring that their policies and ensuring that their policies and ensuring that their policies and ensuring that their policies and
documented, in use, and known to all affected parties. procedures are documented and known procedures are documented and known procedures are documented and known procedures are documented and known
to all affected parties. to all affected parties. to all affected parties. to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 20

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google Responsibility Summary
App Engine Cloud Armor Archive Storage Access Transparency
Bare Metal Cloud NAT Cloud Storage Assured Workloads
Compute Engine Hybrid Connectivity Filestore Binary Authorization
Cloud Run Network Intelligence Center Local SSD Chronicle
Preemptible VMs Network Telemetry Persistent Disk Cloud Asset Inventory
Shielded VMs Service Directory Cloud Data Loss Prevention
Traﬃc Director Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls
Identity and Access
Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active
Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 5: Use and regularly update anti-virus

software or programs.
5.1 Deploy anti-virus software on all systems commonly x x GCP customers are responsible for Not Applicable Not Applicable GCP customers are responsible for Google is responsible for the
affected by malicious software (particularly personal managing anti-virus software or managing anti-virus software or implementation of malware
computers and servers). program for any customer-managed program for any customer-managed protection in the underlying GCP
GCP GCE instances. GCP GCE instances. infrastructure in compliance with
this requirement. Google is not
responsible for the implementation
of malware protection within any
customer deployed instances on
GCP.
5.1.1 Ensure that anti-virus programs are capable of x x GCP customers are responsible for Not Applicable Not Applicable GCP customers are responsible for Google is responsible for the
detecting, removing, and protecting against all known managing anti-virus software or managing anti-virus software or implementation of malware
types of malicious software. program for any customer-managed program for any customer-managed protection in the underlying GCP
GCP GCE instances. GCP GCE instances. infrastructure in compliance with
this requirement. Google is not
responsible for the implementation
of malware protection within any
customer deployed instances on
GCP.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 21

5.1.2 For systems considered to be not commonly x x GCP customers are responsible for Not Applicable Not Applicable GCP customers are responsible for Google is responsible for the
affected by malicious software, perform periodic managing anti-virus software or managing anti-virus software or implementation of malware
evaluations to identify and evaluate evolving malware program for any customer-managed program for any customer-managed protection in the underlying GCP
threats in order to confirm whether such systems GCP GCE instances. GCP GCE instances. infrastructure in compliance with
continue to not require anti-virus software. this requirement. Google is not
responsible for the implementation
of malware protection within any
customer deployed instances on
GCP.
5.2 Ensure that all anti-virus mechanisms are x x GCP customers are responsible for Not Applicable Not Applicable GCP customers are responsible for Google is responsible for the
maintained as follows: managing anti-virus software or managing anti-virus software or implementation of malware
• Are kept current. program for any customer-managed program for any customer-managed protection in the underlying GCP
• Perform periodic scans. GCP GCE instances. GCP GCE instances. infrastructure in compliance with
• Generate audit logs which are retained per PCI this requirement. Google is not
DSS Requirement 10.7. responsible for the implementation
of malware protection within any
customer deployed instances on
GCP.
5.3 Ensure that anti-virus mechanisms are actively x x GCP customers are responsible for Not Applicable Not Applicable GCP customers are responsible for Google is responsible for the
running and cannot be disabled or altered by users, managing anti-virus software or managing anti-virus software or implementation of malware
unless specifically authorized by management on a program for any customer-managed program for any customer-managed protection in the underlying GCP
case-by-case basis for a limited time period. GCP GCE instances. GCP GCE instances. infrastructure in compliance with
this requirement. Google is not
Note: Anti-virus solutions may be temporarily disabled responsible for the implementation
only if there is legitimate technical need, as authorized of malware protection within any
by management on a case-by-case basis. If anti-virus customer deployed instances on
protection needs to be disabled for a specific purpose, it GCP.
must be formally authorized. Additional security
measures may also need to be implemented for the
period of time during which anti-virus protection is not
active.
5.4 Ensure that security policies and operational x GCP customers are responsible for GCP customers are responsible for ensuring GCP customers are responsible for GCP customers are responsible for Not Applicable
procedures for protecting systems against malware are ensuring that their policies and that their policies and procedures are ensuring that their policies and ensuring that their policies and
documented, in use, and known to all affected parties. procedures are documented and documented and known to all affected procedures are documented and known procedures are documented and
known to all affected parties. parties. to all affected parties. known to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 22

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google
App Engine Cloud Armor Archive Storage Access Transparency Responsibility
Bare Metal Cloud NAT Cloud Storage Assured Workloads Summary
Compute Engine Hybrid Connectivity Filestore Binary Authorization
Cloud Run Network Intelligence Center Local SSD Chronicle
Preemptible VMs Network Telemetry Persistent Disk Cloud Asset Inventory
Shielded VMs Service Directory Cloud Data Loss Prevention
Traﬃc Director Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls
Identity and Access
Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 6: Develop and maintain secure systems

and applications.
6.1 Establish a process to identify security vulnerabilities, x x Customers are responsible Customers are responsible for Customers are responsible for establishing Customers are responsible for implementing a Google is
using reputable outside sources for security vulnerability for establishing a establishing a vulnerability management a vulnerability management program to formalized vulnerability management process that responsible for
information, and assign a risk ranking (for example, as “high,” vulnerability management program to identify vulnerabilities using identify vulnerabilities using reputable includes identiﬁcation of security vulnerabilities protecting the
“medium,” or “low”) to newly discovered security program to identify reputable outside sources and assign a outside sources and assign a risk ranking to using outside sources that are reputable, and systems and
vulnerabilities. vulnerabilities using risk ranking to those vulnerabilities those vulnerabilities affecting GCS and assigning a risk ranking to discovered infrastructure
reputable outside sources affecting their VPCs. in-scope buckets. vulnerabilities. underlying GCP
Note: Risk rankings should be based on industry best and assign a risk ranking to from vulnerabilities
practices as well as consideration of potential impact. For those vulnerabilities in compliance with
example, criteria for ranking vulnerabilities may include affecting their GCE this requirement.
consideration of the CVSS base score, and/or the instances.
classiﬁcation by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk

ratings will vary based on an organization’s environment and
risk-assessment strategy. Risk rankings should, at a minimum,
identify all vulnerabilities considered to be a “high risk” to the
environment. In addition to the risk ranking, vulnerabilities
may be considered “critical” if they pose an imminent threat to
the environment, impact critical systems, and/or would result
in a potential compromise if not addressed. Examples of
critical systems may include security systems, public-facing
devices and systems, databases, and other systems that
store, process, or transmit cardholder data.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 23

6.2 Ensure that all system components and software are x x Customers are responsible Not Applicable Not Applicable Customers are responsible for implementing a Google is
protected from known vulnerabilities by installing applicable for managing the security formalized patch management process that responsible for
vendor-supplied security patches. Install critical security patches of their GCE includes installing all applicable security patches protecting the
patches within one month of release. instances and installing all and those ﬂagged as critical within one month of systems and
applicable security patches release. infrastructure
within one month of release. underlying GCP
from vulnerabilities
in compliance with
this requirement.
6.3 Develop internal and external software applications x x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Google is
(including web-based administrative access to applications) to maintain software development standards aligned with PCI responsible for
securely, as follows: development standards requirements for applications developed and protecting the
aligned with PCI deployed on customer-managed GCP GCE systems and
• In accordance with PCI DSS (for example, secure requirements for instances. infrastructure
authentication and logging) applications developed and underlying GCP
• Based on industry standards and/or best practices. deployed on from vulnerabilities
• Incorporating information security throughout the customer-managed GCP in compliance with
software-development life cycle GCE instances. this requirement.
6.3.1 Remove development, test and/or custom application x x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Google is
accounts, user IDs, and passwords before applications to maintain software development standards aligned with PCI responsible for
become active or are released to customers. development standards requirements for applications developed and protecting the
aligned with PCI deployed on customer-managed GCP GCE systems and
requirements for instances. infrastructure
applications developed and underlying GCP
deployed on from vulnerabilities
customer-managed GCP in compliance with
GCE instances. this requirement.
6.3.2 Review custom code prior to release to production or x x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Google is
customers in order to identify any potential coding to maintain software development standards aligned with PCI responsible for
vulnerability (using either manual or automated processes) development standards requirements for applications developed and protecting the
to include at least the following: aligned with PCI deployed on customer-managed GCP GCE systems and
• Code changes are reviewed by individuals other than the requirements for instances. infrastructure
originating code author, and by individuals knowledgeable applications developed and underlying GCP
about code-review techniques and secure coding practices. deployed on from vulnerabilities
• Code reviews ensure code is developed according to secure customer-managed GCP in compliance with
coding guidelines GCE instances. this requirement.
• Appropriate corrections are implemented prior to release.
• Code-review results are reviewed and approved by
management prior to release.
6.4 Follow change control processes and procedures for all x Customers are responsible Customers must designate separate Customers must designate different GCP Customers are responsible to maintain software Not Applicable
changes to system components. The processes must to maintain software VPCs for development/test and buckets for development/test and development standards, change control
include the following: development standards, production and enforce appropriate production. They cannot use the GCS processes, and vulnerability management
change control processes, ﬁrewall rules ingress and egress with buckets for both dev/test and production. standards aligned with PCI requirements for
and vulnerability appropriate access controls. applications developed and deployed on
management standards customer-managed GCE instances. IAM roles and
aligned with PCI permissions can be used to separate development
requirements for and test environments.
applications developed and
deployed on
customer-managed GCE
instances.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 24

6.4.1 Separate development/test environments from x Customers are responsible Customers must designate separate Customers must designate different GCP Customers are responsible to maintain software Not Applicable
production environments, and enforce the separation with to maintain software VPCs for development/test and buckets for development/test and development standards, change control
access controls. development standards, production and enforce appropriate production. They cannot use the GCS processes, and vulnerability management
change control processes, ﬁrewall rules ingress and egress with buckets for both dev/test and production. standards aligned with PCI requirements for
and vulnerability appropriate access controls. applications developed and deployed on
management standards customer-managed GCE instances. IAM roles and
aligned with PCI permissions can be used to separate development
requirements for and test environments.
applications developed and
deployed on
customer-managed GCE
instances.
6.4.2 Separation of duties between development/test and x Customers are responsible Customers must designate separate Customers must designate different GCP Customers are responsible to maintain software Not Applicable
production environments. to maintain software VPCs for development/test and buckets for development/test and development standards, change control
development standards, production and enforce appropriate production. They cannot use the GCS processes, and vulnerability management
change control processes, ﬁrewall rules ingress and egress with buckets for both dev/test and production. standards aligned with PCI requirements for
and vulnerability appropriate access controls. applications developed and deployed on
management standards customer-managed GCE instances. IAM roles and
aligned with PCI permissions can be used to separate development
requirements for and test environments.
applications developed and
deployed on
customer-managed GCE
instances.
6.4.3 Production data (live PANs) are not used for testing or x Customers are responsible Customers are responsible for ensuring Customers are responsible for ensuring Customers are responsible to maintain software Not Applicable
development to maintain software production data is not used for production data is not used for development standards, change control
development standards, development or testing in development or testing in non-production processes, and vulnerability management
change control processes, non-production VPCs. GCS buckets. standards aligned with PCI requirements
and vulnerability
management standards
aligned with PCI
requirements for
applications developed and
deployed on
customer-managed GCE
instances.
6.4.4 Removal of test data and accounts from system x Customers are responsible Customers are responsible for removing Customers are responsible for removing all Customers are responsible to maintain software Not Applicable
components before the system becomes active/goes into to maintain software all test data and accounts from VPCs test data and accounts from GCS buckets development standards, change control
production. development standards, prior to going live in production. and objects prior to going live in production. processes, and vulnerability management
change control processes, standards aligned with PCI requirements
and vulnerability
management standards
aligned with PCI
requirements for
applications developed and
deployed on
customer-managed GCE
instances.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 25

6.4.5 Change control procedures must include the following: x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
and change control control processes, including including documentation of impact for all configurations are subject to customer change protecting the
processes, including documentation of impact for all changes changes made to GCS buckets. control procedures. Customers are responsible to systems and
documentation of impact for made to in-scope VPCs. maintain software development standards, infrastructure
all changes made to GCE change control processes, and vulnerability underlying GCP
instances. management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.
6.4.5.1 Documentation of impact. x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
and change control control processes, including including documentation of impact for all configurations are subject to customer change protecting the
processes, including documentation of impact for all changes changes made to GCS buckets. control procedures. Customers are responsible to systems and
documentation of impact for made to in-scope VPCs. maintain software development standards, infrastructure
all changes made to GCE change control processes, and vulnerability underlying GCP
instances. management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.
6.4.5.2 Documented change approval by authorized parties. x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
and change control control processes, including including documented approval for all configurations are subject to customer change protecting the
processes, including documented approval for all changes changes made to GCS buckets. control procedures. Customers are responsible to systems and
documented approval for all made to in-scope VPCs. maintain software development standards, infrastructure
changes made to GCE change control processes, and vulnerability underlying GCP
instances. management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.
6.4.5.3 Functionality testing to verify that the change does x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
not adversely impact the security of the system. for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
and change control control processes, including including functionality testing for all configurations are subject to customer change protecting the
processes, including functionality testing for all changes changes made to GCS buckets. control procedures. Customers are responsible to systems and
functionality testing for all made to in-scope VPCs. maintain software development standards, infrastructure
changes made to GCE change control processes, and vulnerability underlying GCP
instances. management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.
6.4.5.4 Back-out procedures. x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
and change control control processes, including backout including backout procedures for all configurations are subject to customer change protecting the
processes, including procedures for all changes made to changes made to GCS buckets. control procedures. Customers are responsible to systems and
backout procedures for all in-scope VPCs. maintain software development standards, infrastructure
changes made to GCE change control processes, and vulnerability underlying GCP
instances. management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 26

6.4.6 Upon completion of a significant change, all relevant x x Customers are responsible Customers are responsible for Customers are responsible for configuration Customers are responsible for any custom Google is
PCI DSS requirements must be implemented on all new or for configuration changes configuration changes and change changes and change control processes, configurations and all changes to GCP product responsible for
changed systems and networks, and documentation updated and change control control processes, including significant including significant changes made to GCS configurations are subject to customer change protecting the
as applicable. processes, including changes made to in-scope VPCs. buckets. control procedures. Customers are responsible to systems and
significant changes made to maintain software development standards, infrastructure
GCE instances. change control processes, and vulnerability underlying GCP
management standards aligned with PCI from vulnerabilities
requirements for systems components and in compliance with
applications developed and deployed on GCP this requirement.
products.
6.5 Address common coding vulnerabilities in x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
software-development processes as follows: to maintain software development standards and train developers in
• Train developers at least annually in up-to-date secure development standards and secure software development practices aligned
coding techniques, including how to avoid common coding train developers in secure with PCI requirements for applications developed
vulnerabilities. software development and deployed on customer-managed GCP GCE
• Develop applications based on secure coding guidelines. practices aligned with PCI instances.
requirements for
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.1 Injection flaws, particularly SQL injection. Also consider x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
OS Command Injection, LDAP and XPath injection flaws as to maintain software development standards aligned with PCI
well as other injection flaws. development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.2 Buffer overflows x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.3 Insecure cryptographic storage x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 27

6.5.4 Insecure communications x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.5 Improper error handling x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.6 All “high risk” vulnerabilities identified in the x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
vulnerability identification process (as defined in PCI DSS to maintain software development standards aligned with PCI
Requirement 6.1). development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.7 Cross-site scripting (XSS) x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.8 Improper access control (such as insecure direct x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
object references, failure to restrict URL access, directory to maintain software development standards aligned with PCI
traversal, and failure to restrict user access to functions). development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.5.9 Cross-site request forgery (CSRF) x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and

For more information, visit https://cloud.google.com/security/compliance/ August 2021 28

deployed on
customer-managed GCP
GCE instances.
6.5.10 Broken authentication and session management x Customers are responsible Not Applicable Not Applicable Customers are responsible to maintain software Not Applicable
to maintain software development standards aligned with PCI
development standards requirements for applications developed and
aligned with PCI deployed on customer-managed GCP GCE
requirements for instances.
applications developed and
deployed on
customer-managed GCP
GCE instances.
6.6 For public-facing web applications, address new threats x Customers are responsible Not Applicable Not Applicable Customers are responsible for Web Application Not Applicable
and vulnerabilities on an ongoing basis and ensure these for Web Application Filtering Filtering or application security reviews for web
applications are protected against known attacks by either of or application security applications deployed on customer-managed GCE
the following methods: reviews for web applications instances.
• Reviewing public-facing web applications via manual or deployed on
automated application vulnerability security assessment customer-managed GCE
tools or methods, at least annually and after any changes instances.
• Installing an automated technical solution that detects and
prevents web-based attacks (for example, a web-application
ﬁrewall) in front of public-facing web applications, to
continually check all traﬃc.
6.7 Ensure that security policies and operational procedures x GCP customers are GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for ensuring that Not Applicable
for developing and maintaining secure systems and responsible for ensuring that ensuring that their policies and ensuring that their policies and procedures their policies and procedures are documented and
applications are documented, in use, and known to all their policies and procedures procedures are documented and known are documented and known to all affected known to all affected parties.
affected parties. are documented and known to all affected parties. parties.
to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 29

Requirement 7: Restrict access to cardholder data by

business need to know.
7.1 Limit access to system components and cardholder data x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
to only those individuals whose job requires such access. managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their
products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular accessfor integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.1.1 Deﬁne access needs for each role, including: x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
- System components and data resources that each role managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
needs to access for their job function (GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
- Level of privilege required (for example, user, administrator, CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
etc.) for accessing resources. for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 30

7.1.2 Restrict access to privileged user IDs to least privileges x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
necessary to perform job responsibilities. managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.1.3 Assign access based on individual personnel’s job x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
classiﬁcation and function. managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.1.4 Require documented approval by authorized parties x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
specifying required privileges. managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.2 Establish an access control system for systems x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
components that restricts access based on a user’s need to managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
know, and is set to “deny all” unless speciﬁcally allowed. (GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
This access control system must include the following: CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.2.1 Coverage of all system components x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 31

7.2.2 Assignment of privileges to individuals based on job x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
classiﬁcation and function. managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their
products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular accessfor integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.2.3 Default “deny-all” setting. x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
managing access to all GCP products managing access to all GCP products managing access to all GCP managing access to all GCP products implementing access
(GCE, VPC, GCS) that are included in their (GCE, VPC, GCS) that are included in their products (GCE, VPC, GCS) that are (GCE, VPC, GCS) that are included in controls in compliance with
CDE. GCP provides various mechanisms CDE. GCP provides various mechanisms included in their CDE. GCP provides their CDE. GCP provides various this requirement for the
for controlling access to the services for controlling access to the services various mechanisms for controlling mechanisms for controlling access to systems and infrastructure
including IAM for integration with including IAM for integration with access to the services including IAM the services including IAM for underlying GCP.
corporate directories and granular access corporate directories and granular access for integration with corporate integration with corporate directories
controls to the GCP Management controls to the GCP Management directories and granular access and granular access controls to the GCP
Console. Console. controls to the GCP Management Management Console.
Console.
7.3 Ensure that security policies and operational procedures x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Not Applicable
for restricting access to cardholder data are documented, in ensuring that their policies and ensuring that their policies and ensuring that their policies and ensuring that their policies and
use, and known to all affected parties. procedures are documented and known procedures are documented and known procedures are documented and procedures are documented and known
to all affected parties. to all affected parties. known to all affected parties. to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 32

Requirement 8: Identify and authenticate access to

system components.
8.1 Define and implement policies and procedures to ensure x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
proper user identification management for non-consumer managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user for implementing
users and administrators on all system components as accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This access controls in
follows: This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope compliance with this
scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, requirement for the
VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to systems and
well as to the GCE compute instances instances and customer specific specific applications. the GCE compute instances and infrastructure
and customer specific applications. applications. customer specific applications. underlying GCP.
8.1.1 Assign all users a unique ID before allowing them to x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
access system components or cardholder data. managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user for implementing
accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This access controls in
This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope compliance with this
scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, requirement for the
VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to systems and
well as to the GCE compute instances instances and customer specific specific applications. the GCE compute instances and infrastructure
and customer specific applications. applications. customer specific applications. underlying GCP.
8.1.2 Control addition, deletion, and modification of user IDs, x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
credentials, and other identifier objects. managing the creation, deletion and the creation, deletion and modification of creation, deletion and modification of user managing the creation, deletion and for implementing
modification of user accounts, user accounts, including GCP accounts. accounts, including GCP accounts. This modification of user accounts, access controls in
including GCP accounts. This includes This includes access controls to all in includes access controls to all in scope GCP including GCP accounts. This includes compliance with this
access controls to all in scope GCP scope GCP products (GCE, in-scope products (GCE, in-scope VPCs, GCS buckets access controls to all in scope GCP requirement for the
products (GCE, in-scope VPCs, GCS VPCs, GCS buckets and objects) as well and objects) as well as to the GCE compute products (GCE, in-scope VPCs, GCS systems and
buckets and objects) as well as to the as to the GCE compute instances and instances and customer specific buckets and objects) as well as to the infrastructure
GCE compute instances and customer specific applications. applications. GCE compute instances and customer underlying GCP.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 33

customer specific applications. specific applications.
8.1.3 Immediately revoke access for any terminated users. x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Google is responsible
managing user accounts including user accounts including termination of user accounts including termination of managing user accounts including for implementing
termination of accounts for GCP accounts for GCP accounts. This includes accounts for GCP accounts. This includes termination of accounts for GCP access controls in
accounts. This includes access access controls to all in scope GCP access controls to all in scope GCP products accounts. This includes access compliance with this
controls to all in scope GCP products products (GCE, in-scope VPCs, GCS (GCE, in-scope VPCs, GCS buckets and controls to all in scope GCP products requirement for the
(GCE, in-scope VPCs, GCS buckets buckets and objects) as well as to the objects) as well as to the GCE compute (GCE, in-scope VPCs, GCS buckets and systems and
and objects) as well as to the GCE GCE compute instances and customer instances and customer specific objects) as well as to the GCE compute infrastructure
compute instances and customer specific applications. applications. instances and customer specific underlying GCP.
specific applications. applications.
8.1.4 Remove/disable inactive user accounts within 90 days. x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Google is responsible
managing user accounts including user accounts including user accounts including removing/disabling managing user accounts including for implementing
removing/disabling inactive accounts removing/disabling inactive accounts inactive accounts within 90 days. This removing/disabling inactive accounts access controls in
within 90 days. This includes access within 90 days. This includes access includes access controls to all in scope GCP within 90 days. This includes access compliance with this
controls to all in scope GCP products controls to all in scope GCP products products (GCE, in-scope VPCs, GCS buckets controls to all in scope GCP products requirement for the
(GCE, in-scope VPCs, GCS buckets (GCE, in-scope VPCs, GCS buckets and and objects) as well as to the GCE compute (GCE, in-scope VPCs, GCS buckets and systems and
and objects) as well as to the GCE objects) as well as to the GCE compute instances and customer specific objects) as well as to the GCE compute infrastructure
compute instances and customer instances and customer specific applications. instances and customer specific underlying GCP.
specific applications. applications. applications.
8.1.5 Manage IDs used by third parties to access, support, or x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Not Applicable.
maintain system components via remote access as follows: managing user accounts and all user accounts and all access to their CDE, user accounts and all access to their CDE, managing user accounts and all access Google does not allow
- Enabled only during the time period needed and disabled access to their CDE, including any 3rd including any 3rd party vendor access. including any 3rd party vendor access. This to their CDE, including any 3rd party any remote vendor
when not in use. party vendor access. This includes This includes access controls to all in includes access controls to all in scope GCP vendor access. This includes access access within the
- Monitored when in use. access controls to all in scope GCP scope GCP products (GCE, in-scope products (GCE, in-scope VPCs, GCS buckets controls to all in scope GCP products in-scope GCP
products (GCE, in-scope VPCs, GCS VPCs, GCS buckets and objects) as well and objects) as well as to the GCE compute (GCE, in-scope VPCs, GCS buckets and environment.
buckets and objects) as well as to the as to the GCE compute instances and instances and customer specific objects) as well as to the GCE compute
GCE compute instances and customer specific applications. applications. instances and customer specific
customer specific applications. applications.
8.1.6 Limit repeated access attempts by locking out the user x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Google is responsible
ID after not more than six attempts. managing user accounts and all user accounts and all authentication user accounts and all authentication managing user accounts and all for implementing
authentication parameters. This parameters. This includes access, parameters. This includes access, authentication parameters. This access controls in
includes access, authentication, and authentication, and authorization controls authentication, and authorization controls to includes access, authentication, and compliance with this
authorization controls to all in scope to all in scope GCP products (GCE, all in scope GCP products (GCE, in-scope authorization controls to all in scope requirement for the
GCP products (GCE, in-scope VPCs, in-scope VPCs, GCS buckets and objects) VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, systems and
GCS buckets and objects) as well as as well as to the GCE compute instances to the GCE compute instances and customer GCS buckets and objects) as well as to infrastructure
to the GCE compute instances and and customer specific applications. specific applications. Customers can provide the GCE compute instances and underlying GCP.
customer specific applications. Customers can provide access to GCP access to GCP products through identity customer specific applications. Additionally, Google is
Customers can provide access to GCP products through identity federation, federation, leverage GCP Directory Services Customers can provide access to GCP responsible for
products through identity federation, leverage GCP Directory Services or use or use their existing third-party identity products through identity federation, reviewing internal
leverage GCP Directory Services or their existing third-party identity provider provider (IdP) to perform account lockout leverage GCP Directory Services or use processes and
use their existing third-party identity (IdP) to perform account lockout functions. their existing third-party identity customer/user
provider (IdP) to perform account functions. provider (IdP) to perform account documentation, and
lockout functions. lockout functions. observing
implemented
processes to verify
that non-consumer
customer user
accounts are
temporarily locked-out
after not more than six
invalid access

For more information, visit https://cloud.google.com/security/compliance/ August 2021 34

attempts.
8.1.7 Set the lockout duration to a minimum of 30 minutes or x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Not Applicable. Invalid
until an administrator enables the user ID. managing user accounts and all user accounts and all authentication user accounts and all authentication managing user accounts and all logon attempts are
authentication parameters. This parameters. This includes access, parameters. This includes access, authentication parameters. This prevented via the use
includes access, authentication, and authentication, and authorization controls authentication, and authorization controls to
includes access, authentication, and of SSH public/private
authorization controls to all in scope to all in scope GCP products (GCE, all in scope GCP products (GCE, in-scope authorization controls to all in scope key pairs and Low
GCP products (GCE, in-scope VPCs, in-scope VPCs, GCS buckets and objects) VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, Overhead
GCS buckets and objects) as well as as well as to the GCE compute instances to the GCE compute instances and customer GCS buckets and objects) as well as to Authentication Service
to the GCE compute instances and and customer specific applications. specific applications. Customers can provide
the GCE compute instances and (LOAS) certificates.
customer specific applications. Customers can provide access to GCP access to GCP products through identity customer specific applications.
Customers can provide access to GCP products through identity federation, federation, leverage GCP Directory Services
Customers can provide access to GCP
products through identity federation, leverage GCP Directory Services or use or use their existing third-party identityproducts through identity federation,
leverage GCP Directory Services or their existing third-party identity provider provider (IdP) to perform account lockout leverage GCP Directory Services or use
use their existing third-party identity (IdP) to perform account lockout functions. their existing third-party identity
provider (IdP) to perform account functions. provider (IdP) to perform account
lockout functions. lockout functions.
8.1.8 If a session has been idle for more than 15 minutes, x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
require the user to re-authenticate to re-activate the terminal managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user for implementing
or session. accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This access controls in
This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope compliance with this
scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, requirement for the
VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to systems and
well as to the GCE compute instances instances and customer specific specific applications. IAM customers must the GCE compute instances and infrastructure
and customer specific applications. applications. IAM customers must enforce the 15-minute idle session timeout customer specific applications. IAM underlying GCP.
IAM customers must enforce the enforce the 15-minute idle session requirement through either their external customers must enforce the 15-minute
15-minute idle session timeout timeout requirement through either their identity provider (IdP), or “before” the GCP idle session timeout requirement
requirement through either their external identity provider (IdP), or “before” Management Console. through either their external identity
external identity provider (IdP), or the GCP Management Console. provider (IdP), or “before” the GCP
“before” the GCP Management Management Console.
Console.
8.2 In addition to assigning a unique ID, ensure proper x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing Customers are responsible for Google is responsible
user-authentication management for non-consumer users managing user accounts and all user accounts and all authentication user accounts and all authentication managing user accounts and all for implementing
and administrators on all system components by employing authentication parameters. This parameters. This includes access, parameters. This includes access, authentication parameters. This access controls in
at least one of the following methods to authenticate all includes access, authentication, and authentication, and authorization controls authentication, and authorization controls to includes access, authentication, and compliance with this
users: authorization controls to all in scope to all in scope GCP products (GCE, all in scope GCP products (GCE, in-scope authorization controls to all in scope requirement for the
- Something you know, such as a password or passphrase GCP products (GCE, in-scope VPCs, in-scope VPCs, GCS buckets and objects) VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, systems and
- Something you have, such as a token device or smart card GCS buckets and objects) as well as as well as to the GCE compute instances to the GCE compute instances and customer GCS buckets and objects) as well as to infrastructure
- Something you are, such as a biometric. to the GCE compute instances and and customer specific applications. specific applications. Customers can provide the GCE compute instances and underlying GCP.
customer specific applications. Customers can provide access to GCP access to GCP products through identity customer specific applications.
Customers can provide access to GCP products through identity federation, federation, leverage GCP Directory Services Customers can provide access to GCP
products through identity federation, leverage GCP Directory Services or use or use their existing third-party identity products through identity federation,
leverage GCP Directory Services or their existing third-party identity provider provider (IdP) to perform account lockout leverage GCP Directory Services or use
use their existing third-party identity (IdP) to perform account lockout functions. their existing third-party identity
provider (IdP) to perform account functions. provider (IdP) to perform account
lockout functions. lockout functions.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 35

8.2.1 Using strong cryptography, render all authentication x x Customers are responsible for the Customers are responsible for the Customers are responsible for the creation Customers are responsible for the Google is responsible
credentials (such as passwords/phrases) unreadable during creation of accounts using their creation of accounts using their desired of accounts using their desired creation of accounts using their desired for implementing
transmission and storage on all system components. desired authentication mechanisms. authentication mechanisms. For authentication mechanisms. For accounts authentication mechanisms. For access controls in
For accounts managed by IAM, accounts managed by IAM, passwords managed by IAM, passwords are rendered accounts managed by IAM, passwords compliance with this
passwords are rendered unreadable in are rendered unreadable in storage and unreadable in storage and transmission and are rendered unreadable in storage and requirement for the
storage and transmission and fully transmission and fully managed by GCP. fully managed by GCP. Customers transmission and fully managed by systems and
managed by GCP. Customers Customers connecting IAM to the connecting IAM to the corporate directory GCP. Customers connecting IAM to the infrastructure
connecting IAM to the corporate corporate directory are responsible for are responsible for rendering credentials corporate directory are responsible for underlying GCP.
directory are responsible for rendering rendering credentials unreadable in unreadable in storage and in transit. rendering credentials unreadable in
credentials unreadable in storage and storage and in transit. storage and in transit.
in transit.
8.2.2 Verify user identity before modifying any authentication x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
credential—for example, performing password resets, managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user for implementing
provisioning new tokens, or generating new keys. accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This access controls in
This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope compliance with this
scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, requirement for the
VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to systems and
well as to the GCE compute instances instances and customer specific specific applications. Customers are the GCE compute instances and infrastructure
and customer specific applications. applications. Customers are required to required to have a process in place to verify customer specific applications. underlying GCP.
Customers are required to have a have a process in place to verify user user identity prior to performing any Customers are required to have a
process in place to verify user identity identity prior to performing any password password resets, provisioning new tokens or process in place to verify user identity
prior to performing any password resets, provisioning new tokens or generating new keys. prior to performing any password
resets, provisioning new tokens or generating new keys. resets, provisioning new tokens or
generating new keys. generating new keys.
8.2.3 Passwords/phrases must meet the following: x x Customers are responsible for the Customers are responsible for the Customers are responsible for the creation Customers are responsible for the Google is responsible
- Require a minimum length of at least seven characters. creation of accounts using their creation of accounts using their desired of accounts using their desired creation of accounts using their desired for implementing
- Contain both numeric and alphabetic characters. desired authentication mechanisms. authentication mechanisms. For authentication mechanisms. For accounts authentication mechanisms. For access controls in
Alternatively, the passwords/phrases must have complexity For accounts managed by IAM, accounts managed by IAM, password managed by IAM, password policies enforce accounts managed by IAM, password compliance with this
and strength at least equivalent to the parameters specified password policies enforce minimum policies enforce minimum length and minimum length and complexity policies enforce minimum length and requirement for the
above. length and complexity requirements, complexity requirements, which the requirements, which the customer must complexity requirements, which the systems and
which the customer must enforce to 7 customer must enforce to 7 chacters enforce to 7 chacters minimum and mixed customer must enforce to 7 characters infrastructure
chacters minimum and mixed minimum and mixed complexity. complexity. Customers can also integrate minimum and mixed complexity. underlying GCP.
complexity. Customers can also Customers can also integrate Multi-Factor Authentication provided by GCP Customers can also integrate
integrate Multi-Factor Authentication Multi-Factor Authentication provided by or connect to a corporate directory service. Multi-Factor Authentication provided by
provided by GCP or connect to a GCP or connect to a corporate directory GCP or connect to a corporate directory
corporate directory service. service. service.
8.2.4 Change user passwords/passphrases at least once x x Customers are responsible for the Customers are responsible for the Customers are responsible for the creation Customers are responsible for the Google is responsible
every 90 days. creation of accounts using their creation of accounts using their desired of accounts using their desired creation of accounts using their desired for implementing
desired authentication mechanisms. authentication mechanisms. For authentication mechanisms. For accounts authentication mechanisms. For access controls in
For accounts managed by IAM, accounts managed by IAM, password managed by IAM, password policies enforce accounts managed by IAM, password compliance with this
password policies enforce password policies enforce password rotation, which password rotation, which the customer must policies enforce password rotation, requirement for the
rotation, which the customer must the customer must enforce to no greater enforce to no greater than every 90 days. which the customer must enforce to no systems and
enforce to no greater than every 90 than every 90 days. Customers can also Customers can also integrate Multi-Factor greater than every 90 days. Customers infrastructure
days. Customers can also integrate integrate Multi-Factor Authentication Authentication provided by GCP or connect can also integrate Multi-Factor underlying GCP.
Multi-Factor Authentication provided provided by GCP or connect to a to a corporate directory service. Authentication provided by GCP or
by GCP or connect to a corporate corporate directory service. connect to a corporate directory
directory service. service.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 36

8.2.5 Do not allow an individual to submit a new x x Customers are responsible for the Customers are responsible for the Customers are responsible for the creation Customers are responsible for the Google is responsible
password/phrase that is the same as any of the last four creation of accounts using their creation of accounts using their desired of accounts using their desired creation of accounts using their desired for implementing
passwords/phrases he or she has used. desired authentication mechanisms. authentication mechanisms. For authentication mechanisms. For accounts authentication mechanisms. For access controls in
For accounts managed by IAM, accounts managed by IAM, password managed by IAM, password policies enforce accounts managed by IAM, password compliance with this
password policies enforce password policies enforce password history, which password history, which the customer must policies enforce password history, requirement for the
history, which the customer must the customer must enforce to no fewer enforce to no fewer than last 4 used. which the customer must enforce to no systems and
enforce to no fewer than last 4 used. than last 4 used. Customers can also Customers can also integrate Multi-Factor fewer than last 4 used. Customers can infrastructure
Customers can also integrate integrate Multi-Factor Authentication Authentication provided by GCP or connect also integrate Multi-Factor underlying GCP.
Multi-Factor Authentication provided provided by GCP or connect to a to a corporate directory service. Authentication provided by GCP or
by GCP or connect to a corporate corporate directory service. connect to a corporate directory
directory service. service.
8.2.6 Set passwords/phrases for first-time use and upon x x Customers are responsible for the Customers are responsible for the Customers are responsible for the creation Customers are responsible for the Google is responsible
reset to a unique value for each user, and change creation of accounts using their creation of accounts using their desired of accounts using their desired creation of accounts using their desired for implementing
immediately after the first use. desired authentication mechanisms authentication mechanisms and authentication mechanisms and enforcing authentication mechanisms and access controls in
and enforcing password policies enforcing password policies requiring password policies requiring that any first enforcing password policies requiring compliance with this
requiring that any first time use or that any first time use or reset passwords time use or reset passwords must be that any first time use or reset requirement for the
reset passwords must be changed must be changed immediately. This changed immediately. This includes IAM passwords must be changed systems and
immediately. This includes IAM includes IAM passwords or federated passwords or federated passwords to immediately. This includes IAM infrastructure
passwords or federated passwords to passwords to customer corporate customer corporate directory service/s. passwords or federated passwords to underlying GCP.
customer corporate directory directory service/s. customer corporate directory service/s.
service/s.
8.3 Secure all individual non-console administrative access x x Customers are responsible for the Customers are responsible for the Customers are responsible for the Customers are responsible for the Google is responsible
and all remote access to the CDE using multi-factor authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the for implementing
authentication. management consoles and APIs for management consoles and APIs for management consoles and APIs for management consoles and APIs for access controls in
Note: Multi-factor authentication requires that a minimum of managing their GCP Projects. GCP managing their GCP Projects. GCP managing their GCP Projects. GCP provides managing their GCP Projects. GCP compliance with this
two of the three authentication methods (see Requirement provides an MFA solution, Google provides an MFA solution, Google an MFA solution, Google Authenticator, to provides an MFA solution, Google requirement for the
8.2 for descriptions of authentication methods) be used for Authenticator, to support customers Authenticator, to support customers support customers meeting the requirement Authenticator, to support customers systems and
authentication. Using one factor twice (for example, using meeting the requirement for meeting the requirement for Multi-Factor for Multi-Factor authentication. meeting the requirement for infrastructure
two separate Multi-Factor authentication. authentication. Customers may also select any MFA iDP they Multi-Factor authentication. underlying GCP.
passwords) is not considered multi-factor Customers may also select any MFA Customers may also select any MFA iDP choose to meet their needs, but it must be Customers may also select any MFA
authentication. iDP they choose to meet their needs, they choose to meet their needs, but it implemented and enforced for all GCP iDP they choose to meet their needs,
but it must be implemented and must be implemented and enforced for all products in-scope. but it must be implemented and
enforced for all GCP products GCP products in-scope. enforced for all GCP products in-scope.
in-scope.
8.3.1 Incorporate multi-factor authentication for all x x Customers are responsible for the Customers are responsible for the Customers are responsible for the Customers are responsible for the Google is responsible
non-console access into the CDE for personnel with authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the for implementing
administrative access. management consoles and APIs for management consoles and APIs for management consoles and APIs for management consoles and APIs for access controls in
managing their GCP Projects. GCP managing their GCP Projects. GCP managing their GCP Projects. GCP provides managing their GCP Projects. GCP compliance with this
provides an MFA solution, Google provides an MFA solution, Google an MFA solution, Google Authenticator, to provides an MFA solution, Google requirement for the
Authenticator, to support customers Authenticator, to support customers support customers meeting the requirement Authenticator, to support customers systems and
meeting the requirement for meeting the requirement for Multi-Factor for Multi-Factor authentication. meeting the requirement for infrastructure
Multi-Factor authentication. authentication. Customers may also select any MFA iDP they Multi-Factor authentication. underlying GCP.
Customers may also select any MFA Customers may also select any MFA iDP choose to meet their needs, but it must be Customers may also select any MFA
iDP they choose to meet their needs, they choose to meet their needs, but it implemented and enforced for all GCP iDP they choose to meet their needs,
but it must be implemented and must be implemented and enforced for all products in-scope. but it must be implemented and
enforced for all GCP products GCP products in-scope. enforced for all GCP products in-scope.
in-scope.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 37

8.3.2 Incorporate multi-factor authentication for all remote x x Customers are responsible for the Customers are responsible for the Customers are responsible for the Customers are responsible for the Google is responsible
network access (both user and administrator, and including authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the for implementing
third-party access for support or maintenance) originating management consoles and APIs for management consoles and APIs for management consoles and APIs for management consoles and APIs for access controls in
from outside the entity’s network. managing their GCP Projects. GCP managing their GCP Projects. GCP managing their GCP Projects. GCP provides managing their GCP Projects. GCP compliance with this
provides an MFA solution, Google provides an MFA solution, Google an MFA solution, Google Authenticator, to provides an MFA solution, Google requirement for the
Authenticator, to support customers Authenticator, to support customers support customers meeting the requirement Authenticator, to support customers systems and
meeting the requirement for meeting the requirement for Multi-Factor for Multi-Factor authentication. meeting the requirement for infrastructure
Multi-Factor authentication. authentication. Customers may also select any MFA iDP they Multi-Factor authentication. underlying GCP.
Customers may also select any MFA Customers may also select any MFA iDP choose to meet their needs, but it must be Customers may also select any MFA
iDP they choose to meet their needs, they choose to meet their needs, but it implemented and enforced for all GCP iDP they choose to meet their needs,
but it must be implemented and must be implemented and enforced for all products in-scope. but it must be implemented and
enforced for all GCP products GCP products in-scope. enforced for all GCP products in-scope.
in-scope.
8.4 Document and communicate authentication procedures x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for ensuring GCP customers are responsible for Google is responsible
and policies and procedures to all users including: ensuring that their policies and ensuring that their policies and that their policies and procedures are ensuring that their policies and for implementing
- Guidance on selecting strong authentication credentials procedures are documented and procedures are documented and known documented and known to all affected procedures are documented and known access controls in
- Guidance for how users should protect their authentication known to all affected parties. to all affected parties. parties. to all affected parties. compliance with this
credentials requirement for the
- Instructions not to reuse previously used passwords systems and
- Instructions to change passwords if there is any suspicion infrastructure
the password could be compromised. underlying GCP.
8.5 Do not use group, shared, or generic IDs, passwords, or x x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Google is responsible
other authentication methods as follows: managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user for implementing
- Generic user IDs are disabled or removed. accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This access controls in
- Shared user IDs do not exist for system administration and This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope compliance with this
other critical functions. scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs, requirement for the
- Shared and generic user IDs are not used to administer any VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to systems and
system components. well as to the GCE compute instances instances and customer specific specific applications. Customers are not the GCE compute instances and infrastructure
and customer specific applications. applications. Customers are not permitted to use any group, generic, or customer specific applications. underlying GCP.
Customers are not permitted to use permitted to use any group, generic, or shared accounts as well as passwords to Customers are not permitted to use any
any group, generic, or shared shared accounts as well as passwords to access the CDE.All user accounts must be group, generic, or shared accounts as
accounts as well as passwords to access the CDE.All user accounts must unique in nature and not shared with any well as passwords to access the
access the CDE.All user accounts be unique in nature and not shared with others. CDE.All user accounts must be unique
must be unique in nature and not any others. in nature and not shared with any
shared with any others. others.
8.5.1 Additional requirement for service providers only: x Customers are responsible for Customers are responsible for managing Customers are responsible for managing the Customers are responsible for Not Applicable.
Service providers with remote access to customer premises managing the creation of user the creation of user accounts, including creation of user accounts, including GCP managing the creation of user Google does not have
(for example, for support of POS systems or servers) must accounts, including GCP accounts. GCP accounts. This includes access accounts. This includes access controls to accounts, including GCP accounts. This remote access to its
use a unique authentication credential (such as a This includes access controls to all in controls to all in scope GCP products all in scope GCP products (GCE, in-scope includes access controls to all in scope customer’s premises.
password/phrase) for each customer. scope GCP products (GCE, in-scope (GCE, in-scope VPCs, GCS buckets and VPCs, GCS buckets and objects) as well as GCP products (GCE, in-scope VPCs,
Note: This requirement is not intended to apply to shared VPCs, GCS buckets and objects) as objects) as well as to the GCE compute to the GCE compute instances and customer GCS buckets and objects) as well as to
hosting providers accessing their own hosting environment, well as to the GCE compute instances instances and customer specific specific applications. If customers are a the GCE compute instances and
where multiple customer environments are hosted. and customer specific applications. If applications. If customers are a Service Service Provider AND have remote access to customer specific applications. If
customers are a Service Provider AND Provider AND have remote access to customer premises they must use a unique customers are a Service Provider AND
have remote access to customer customer premises they must use a authentication credential specific to each have remote access to customer
premises they must use a unique unique authentication credential specific customer and not use the same credential premises they must use a unique
authentication credential specific to to each customer and not use the same for each customer. authentication credential specific to
each customer and not use the same credential for each customer. each customer and not use the same
credential for each customer. credential for each customer.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 38

8.6 Where other authentication mechanisms are used (for x x Customers are responsible for the Customers are responsible for the Customers are responsible for the Customers are responsible for the Google is responsible
example, physical or logical security tokens, smart cards, authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the authentication mechanisms to the for implementing
certiﬁcates, etc.), use of these mechanisms must be management consoles and APIs for management consoles and APIs for management consoles and APIs for management consoles and APIs for access controls in
assigned as follows: managing their GCP Projects. GCP managing their GCP Projects. GCP managing their GCP Projects. GCP provides managing their GCP Projects. GCP compliance with this
- Authentication mechanisms must be assigned to an provides an MFA solution, Google provides an MFA solution, Google an MFA solution, Google Authenticator, to provides an MFA solution, Google requirement for the
individual account and not shared among multiple accounts. Authenticator, to support customers Authenticator, to support customers support customers meeting the requirement Authenticator, to support customers systems and
- Physical and/or logical controls must be in place to ensure meeting the requirement for meeting the requirement for Multi-Factor for Multi-Factor authentication. meeting the requirement for infrastructure
only the intended account can use that mechanism to gain Multi-Factor authentication. authentication. Customers may also select any MFA iDP they Multi-Factor authentication. underlying GCP.
access. Customers may also select any MFA Customers may also select any MFA iDP choose to meet their needs, but it must be Customers may also select any MFA
iDP they choose to meet their needs, they choose to meet their needs, but it implemented and enforced for all GCP iDP they choose to meet their needs,
but it must be implemented and must be implemented and enforced for all products in-scope. but it must be implemented and
enforced for all GCP products GCP products in-scope. enforced for all GCP products in-scope.
in-scope.
8.7 All access to any database containing cardholder data x Customers are responsible for Not Applicable Customers are responsible for managing the Customers are responsible for Not Applicable.
(including access by applications, administrators, and all managing the creation of user creation of user accounts. This includes managing the creation of user Google does not have
other users) is restricted as follows: accounts. This includes access access controls to all applications installed accounts. This includes access access to customer
- All user access to, user queries of, and user actions on controls to all applications installed by by the customer, including and GCS buckets controls to all applications installed by data in a readable
databases are through programmatic methods. the customer, including databases and potential objects that may contain CHD. the customer, including and GCS format.
- Only database administrators have the ability to directly that may contain CHD. buckets and potential objects that may
access or query databases. contain CHD.
- Application IDs for database applications can only be used
by the applications (and not by individual users or other
non-application processes).
8.8 Ensure that security policies and operational procedures x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for ensuring GCP customers are responsible for Not Applicable
for identiﬁcation and authentication are documented, in use, ensuring that their policies and ensuring that their policies and that their policies and procedures are ensuring that their policies and
and known to all affected parties. procedures are documented and procedures are documented and known documented and known to all affected procedures are documented and known
known to all affected parties. to all affected parties. parties. to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 39

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google Responsibility Summary
App Engine Cloud Armor Archive Storage Access Transparency
Bare Metal Cloud NAT Cloud Storage Assured Workloads
Compute Engine Hybrid Connectivity Filestore Binary Authorization
Cloud Run Network Intelligence Center Local SSD Chronicle
Preemptible VMs Network Telemetry Persistent Disk Cloud Asset Inventory
Shielded VMs Service Directory Cloud Data Loss Prevention
Traﬃc Director Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls

Identity and Access

Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 9: Restrict physical access to cardholder

data.
9.1 Use appropriate facility entry controls to limit and x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
monitor physical access to systems in the cardholder data and media handling controls for GCP
environment. data centers and colocations
supporting the products included in
the assessment.
9.1.1 Use either video cameras or access control x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
mechanisms (or both) to monitor individual physical access and media handling controls for GCP
to sensitive areas. Review collected data and correlate with data centers and colocations
other entries. Store for at least three months, unless supporting the products included in
otherwise restricted by law. the assessment.

Note: “Sensitive areas” refers to any data center, server room

or any area that houses systems that store, process, or
transmit cardholder data. This excludes public-facing areas
where only point-of-sale terminals are present, such as the
cashier areas in a retail store.
9.1.2 Implement physical and/or logical controls to restrict x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
access to publicly accessible network jacks. and media handling controls for GCP
data centers and colocations
For example, network jacks located in public areas and areas supporting the products included in
accessible to visitors could be disabled and only enabled the assessment.
when network access is explicitly authorized. Alternatively,
processes could be implemented to ensure that visitors are

For more information, visit https://cloud.google.com/security/compliance/ August 2021 40

escorted at all times in areas with active network jacks.
9.1.3 Restrict physical access to wireless access points, x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
gateways, handheld devices, networking/communications and media handling controls for GCP
hardware, and telecommunication lines. data centers and colocations
supporting the products included in
the assessment.
9.2 Develop procedures to easily distinguish between onsite x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
personnel and visitors, to include: and media handling controls for GCP
- Identifying onsite personnel and visitors (for example, data centers and colocations
assigning badges) supporting the products included in
- Changes to access requirements the assessment.
- Revoking or terminating onsite personnel and expired visitor
identification (such as ID badges).
9.3 Control physical access for onsite personnel to the x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
sensitive areas as follows: and media handling controls for GCP
- Access must be authorized and based on individual job data centers and colocations
function. supporting the products included in
- Access is revoked immediately upon termination, and all the assessment.
physical access mechanisms, such as keys, access cards,
etc., are returned or disabled.
9.4 Implement procedures to identify and authorize visitors. x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
Procedures should include the following: and media handling controls for GCP
data centers and colocations
supporting the products included in
the assessment.
9.4.1 Visitors are authorized before entering, and escorted at x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
all times within areas where cardholder data is processed or and media handling controls for GCP
maintained. data centers and colocations
supporting the products included in
the assessment.
9.4.2 Visitors are identified and given a badge or other x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
identification that expires and that visibly distinguishes the and media handling controls for GCP
visitors from onsite personnel. data centers and colocations
supporting the products included in
the assessment.
9.4.3 Visitors are asked to surrender the badge or x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
identification before leaving the facility or at the date of and media handling controls for GCP
expiration. data centers and colocations
supporting the products included in
the assessment.
9.4.4 A visitor log is used to maintain a physical audit trail of x Not Applicable Not Applicable Not Applicable Not Applicable GCP maintains the physical security
visitor activity to the facility as well as computer rooms and and media handling controls for GCP
data centers where cardholder data is stored or transmitted. data centers and colocations
Document the visitor’s name, the firm represented, and the supporting the products included in
onsite personnel authorizing physical access on the log. the assessment.
Retain this log for a minimum of three months, unless
otherwise restricted by law.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 41

9.5 Physically secure all media. x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.5.1 Store media backups in a secure location, preferably an x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
off-site facility, such as an alternate or backup site, or a responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
commercial storage facility. Review the location’s security at compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
least annually. of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.6 Maintain strict control over the internal or external x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
distribution of any kind of media, including the following: responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.6.1 Classify media so the sensitivity of the data can be x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
determined. responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 42

9.6.2 Send the media by secured courier or other delivery x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
method that can be accurately tracked. responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.6.3 Ensure management approves any and all media that is x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
moved from a secured area (including when media is responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
distributed to individuals). compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.7 Maintain strict control over the storage and accessibility x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
of media. responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.7.1 Properly maintain inventory logs of all media and x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
conduct media inventories at least annually. responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 43

9.8 Destroy media when it is no longer needed for business x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
or legal reasons as follows: responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.8.1 Shred, incinerate, or pulp hard-copy materials so that x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
cardholder data cannot be reconstructed. Secure storage responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
containers used for materials that are to be destroyed. compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.8.2 Render cardholder data on electronic media x x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for backup, GCP maintains the physical security
unrecoverable so that cardholder data cannot be responsible for backup, responsible for backup, for backup, compliance and compliance and destruction of media outside of the and media handling controls for GCP
reconstructed. compliance and destruction compliance and destruction destruction of media outside of GCP environment. data centers and colocations
of media outside of the GCP of media outside of the the GCP environment. supporting the products included in
environment. GCP environment. the assessment.
GCP does not store customer data on
removable media.

9.9 Protect devices that capture payment card data via direct x Customer is responsible for Customer is responsible for Customer is responsible for all Customer is responsible for all devices that capture Not Applicable
physical interaction with the card from tampering and all devices that capture all devices that capture devices that capture payment payment card data via direct physical interaction with
substitution. payment card data via direct payment card data via card data via direct physical the card.
physical interaction with the direct physical interaction interaction with the card.
Note: These requirements apply to card-reading devices used card. with the card.
in card-present transactions (that is, card swipe or dip) at the
point of sale. This requirement is not intended to apply to
manual key-entry components such as computer keyboards
and POS keypads.
9.9.1 Maintain an up-to-date list of devices. The list should x Customer is responsible for Customer is responsible for Customer is responsible for all Customer is responsible for all devices that capture Not Applicable
include the following: all devices that capture all devices that capture devices that capture payment payment card data via direct physical interaction with
- Make, model of device payment card data via direct payment card data via card data via direct physical the card.
- Location of device (for example, the address of the site or physical interaction with the direct physical interaction interaction with the card.
facility where the device is located) card. with the card.
- Device serial number or other method of unique
identiﬁcation.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 44

9.9.2 Periodically inspect device surfaces to detect x Customer is responsible for Customer is responsible for Customer is responsible for all Customer is responsible for all devices that capture Not Applicable
tampering (for example, addition of card skimmers to all devices that capture all devices that capture devices that capture payment payment card data via direct physical interaction with
devices), or substitution (for example, by checking the serial payment card data via direct payment card data via card data via direct physical the card.
number or other device characteristics to verify it has not physical interaction with the direct physical interaction interaction with the card.
been swapped with a fraudulent device). card. with the card.

Note: Examples of signs that a device might have been

tampered with or substituted include unexpected attachments
or cables plugged into the device, missing or changed security
labels, broken or differently colored casing, or changes to the
serial number or other external markings.
9.9.3 Provide training for personnel to be aware of attempted x Customer is responsible for Customer is responsible for Customer is responsible for all Customer is responsible for all devices that capture Not Applicable
tampering or replacement of devices. Training should include all devices that capture all devices that capture devices that capture payment payment card data via direct physical interaction with
the following: payment card data via direct payment card data via card data via direct physical the card.
- Verify the identity of any third-party persons claiming to be physical interaction with the direct physical interaction interaction with the card.
repair or maintenance personnel, prior to granting them card. with the card.
access to modify or troubleshoot devices.
- Do not install, replace, or return devices without veriﬁcation.
- Be aware of suspicious behavior around devices (for
example, attempts by unknown persons to unplug or open
devices).
- Report suspicious behavior and indications of device
tampering or substitution to appropriate personnel (for
example, to a manager or security oﬃcer).
9.10 Ensure that security policies and operational procedures x GCP customers are GCP customers are GCP customers are responsible GCP customers are responsible for ensuring that their Not Applicable
for restricting physical access to cardholder data are responsible for ensuring that responsible for ensuring for ensuring that their policies policies and procedures are documented and known to
documented, in use, and known to all affected parties. their policies and procedures that their policies and and procedures are documented all affected parties.
are documented and known procedures are and known to all affected parties.
to all affected parties. documented and known to
all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 45

Requirement 10: Track and monitor all access to

network resources and cardholder data.
10.1 Implement audit trails to link all access to system x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google has PCI DSS
components to each individual user. configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when compliance responsibility
available. available. available. available. for dedicated internal
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Google Production and
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, management network
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment systems.
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements.
10.2 Implement automated audit trails for all system x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
components to reconstruct the following events: configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.1 All individual user accesses to cardholder data x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Not Applicable. Google
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when does not store PAN as
available. available. available. available. such user access to
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and cardholder data is the sole
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, responsibility of the
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment customer.
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 46

10.2.2 All actions taken by any individual with root or x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
administrative privileges configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.3 Access to all audit trails x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.4 Invalid logical access attempts x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.5 Use of and changes to identification and x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
authentication mechanisms—including but not limited to configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
creation of new accounts and elevation of privileges—and all available. available. available. available. and monitoring of the
changes, additions, or deletions to accounts with root or Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
administrative privileges. monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.6 Initialization, stopping, or pausing of the audit logs x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.2.7 Creation and deletion of system-level objects x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3 Record at least the following audit trail entries for all x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
system components for each event: configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 47

10.3.1 User identification x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3.2 Type of event x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3.3 Date and time x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3.4 Success or failure indication x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3.5 Origination of event x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.3.6 Identity or name of affected data, system component, x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
or resource. configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when configuring logging parameters, when controlling access, logging
available. available. available. available. and monitoring of the
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and systems and infrastructure
monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, monitor their GCE, and GKE instances, underlying GCP in
systems and applications in alignment systems and applications in alignment systems and applications in alignment systems and applications in alignment compliance with this
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. requirement.
10.4 Using time-synchronization technology, synchronize all x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
critical system clocks and times and ensure that the appropriately managing network time appropriately managing network time appropriately managing network time appropriately managing network time controlling access, logging
following is implemented for acquiring, distributing, and protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their and monitoring of the
storing time. GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. systems and infrastructure
underlying GCP in
Note: One example of time synchronization technology is compliance with this
Network Time Protocol (NTP). requirement.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 48

10.4.1 Critical systems have the correct and consistent time. x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
appropriately managing network time appropriately managing network time appropriately managing network time appropriately managing network time controlling access, logging
protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their and monitoring of the
GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. systems and infrastructure
underlying GCP in
compliance with this
requirement.
10.4.2 Time data is protected. x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
appropriately managing network time appropriately managing network time appropriately managing network time appropriately managing network time controlling access, logging
protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their and monitoring of the
GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. systems and infrastructure
underlying GCP in
compliance with this
requirement.
10.4.3 Time settings are received from industry-accepted x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
time sources. appropriately managing network time appropriately managing network time appropriately managing network time appropriately managing network time controlling access, logging
protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their protocol (NTP) configuration for their and monitoring of the
GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. GCE and GKE instances. systems and infrastructure
underlying GCP in
compliance with this
requirement.
10.5 Secure audit trails so they cannot be altered. x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and
monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.5.1 Limit viewing of audit trails to those with a job-related x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
need. setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and
monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.5.2 Protect audit trail files from unauthorized x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
modifications. setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and

For more information, visit https://cloud.google.com/security/compliance/ August 2021 49

monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.5.3 Promptly back up audit trail files to a centralized log x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
server or media that is difficult to alter. setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and
monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.5.4 Write logs for external-facing technologies onto a x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
secure, centralized, internal log server or media device. setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and
monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.5.5 Use file-integrity monitoring or change-detection x x GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for GCP Customers are responsible for Google is responsible for
software on logs to ensure that existing log data cannot be setting permissions and access controls setting permissions and access controls setting permissions and access controls setting permissions and access controls controlling access, logging
changed without generating alerts (although new data being for audit logs. for audit logs. for audit logs. for audit logs. and monitoring of the
added should not cause an alert). Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can Identity Access Management (IAM) can systems and infrastructure
be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts be used to set permissions for accounts underlying GCP in
with access to online and offline log with access to online and offline log with access to online and offline log with access to online and offline log compliance with this
storage locations. storage locations. storage locations. storage locations. requirement.
Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and Customers are responsible to log and
monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and monitor their GCE and GKE systems and
instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS instances in alignment with PCI DSS
requirements. requirements. requirements. requirements.
10.6 Review logs and security events for all system x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
components to identify anomalies or suspicious activity. review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit controlling access, logging
logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring and monitoring of the
Note: Log harvesting, parsing, and alerting tools may be used their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE systems and infrastructure
to meet this Requirement. services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment underlying GCP in
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. compliance with this
requirement.
10.6.1 Review the following at least daily: x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
• All security events review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit controlling access, logging
• Logs of all system components that store, process, or logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring and monitoring of the
transmit CHD and/or SAD their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE systems and infrastructure
• Logs of all critical system components services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment underlying GCP in
• Logs of all servers and system components that perform with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. compliance with this
security functions (for example, firewalls, intrusion-detection requirement.
systems/intrusion-prevention systems (IDS/IPS),

For more information, visit https://cloud.google.com/security/compliance/ August 2021 50

authentication servers, e-commerce redirection servers, etc.).
10.6.2 Review logs of all other system components x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
periodically based on the organization’s policies and risk review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of auditcontrolling access, logging
management strategy, as determined by the organization’s logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring and monitoring of the
annual risk assessment. their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE systems and infrastructure
services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment
underlying GCP in
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. compliance with this
requirement.
10.6.3 Follow up exceptions and anomalies identiﬁed during x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
the review process. review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit controlling access, logging
logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring and monitoring of the
their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE systems and infrastructure
services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment underlying GCP in
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. compliance with this
requirement.
10.7 Retain audit trail history for at least one year, with a x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
minimum of three months immediately available for analysis review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit review (automated or manual) of audit controlling access, logging
(for example, online, archived, or restorable from backup). logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring logs, and for logging and monitoring and monitoring of the
their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE their systems leveraging GCE, GKE systems and infrastructure
services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment services within their VPCs in alignment underlying GCP in
with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. with PCI DSS requirements. compliance with this
requirement.
10.8 Additional requirement for service providers only: x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
Implement a process for the timely detection and reporting ensuring a process is implemented for ensuring a process is implemented for ensuring a process is implemented for ensuring a process is implemented for controlling access, logging
of failures of critical security control systems, including but timely detection and reporting of failures timely detection and reporting of failures timely detection and reporting of failures timely detection and reporting of failures and monitoring of the
not limited to failure of: of critical security control systems. of critical security control systems. of critical security control systems. of critical security control systems. systems and infrastructure
• Firewalls underlying GCP in
• IDS/IPS compliance with this
• FIM requirement.
• Anti-virus
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)
10.8.1 Additional requirement for service providers only: x x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Google is responsible for
Respond to failures of any critical security controls in a ensuring a process is implemented for ensuring a process is implemented for ensuring a process is implemented for ensuring a process is implemented for controlling access, logging
timely manner. Processes for responding to failures in timely detection and reporting of failures timely detection and reporting of failures timely detection and reporting of failures timely detection and reporting of failures and monitoring of the
security controls must include: of critical security control systems. of critical security control systems. of critical security control systems. of critical security control systems. systems and infrastructure
• Restoring security functions underlying GCP in
• Identifying and documenting the duration (date and time compliance with this
start to end) of the security failure requirement.
• Identifying and documenting cause(s) of failure, including
root cause, and documenting remediation required to
address root cause
• Identifying and addressing any security issues that arose
during the failure
• Performing a risk assessment to determine whether further
actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from
reoccurring
• Resuming monitoring of security controls

For more information, visit https://cloud.google.com/security/compliance/ August 2021 51

10.9 Ensure that security policies and operational procedures x GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for GCP customers are responsible for Not Applicable
for monitoring all access to network resources and ensuring that their policies and ensuring that their policies and ensuring that their policies and ensuring that their policies and
cardholder data are documented, in use, and known to all procedures are documented and known procedures are documented and known procedures are documented and known procedures are documented and known
affected parties. to all affected parties. to all affected parties. to all affected parties. to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 52

Customers Responsibility Summary
PCI DSS v3.2.1 Requirements GCP Customer Compute Networking Storage Security Google Responsibility Summary
App Engine Cloud Armor Archive Storage Access Transparency
Bare Metal Cloud NAT Cloud Storage Assured Workloads
Compute Engine Hybrid Connectivity Filestore Binary Authorization
Cloud Run Network Intelligence Center Local SSD Chronicle
Preemptible VMs Network Telemetry Persistent Disk Cloud Asset Inventory
Shielded VMs Service Directory Cloud Data Loss Prevention
Traﬃc Director Cloud Key Management
Virtual Private Cloud (VPC) Firewalls
Secret Manager
Security Command Center
Shielded VMs
VPC Service Controls
Identity and Access
Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 11: Regularly test security systems and

processes.
11.1 Implement processes to test for the presence of x Not Applicable Not Applicable Not Applicable Not Applicable Google is responsible for checking for
wireless access points (802.11), and detect and identify all the presence of unauthorized wireless
authorized and unauthorized wireless access points on a access points and similar
quarterly basis. technologies within its own physical
environment and in scope networks.
Note: Methods that may be used in the process include but
are not limited to wireless network scans, physical/logical
inspections of system components and infrastructure,
network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be suﬃcient to detect

and identify both authorized and unauthorized devices.
11.1.1 Maintain an inventory of authorized wireless access x Not Applicable Not Applicable Not Applicable Not Applicable Google is responsible for checking for
points including a documented business justiﬁcation. the presence of unauthorized wireless
access points and similar
technologies within its own physical
environment and in scope networks.

11.1.2 Implement incident response procedures in the event x Not Applicable Not Applicable Not Applicable Not Applicable Google is responsible for its own
unauthorized wireless access points are detected. incident response procedures for its
environment.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 53

11.2 Run internal and external network vulnerability scans at x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google has PCI DSS compliance
least quarterly and after any significant change in the responsible for all internal for all internal vulnerability all internal vulnerability scanning, vulnerability scanning, and rescanning as responsibility for dedicated internal
network (such as new system component installations, vulnerability scanning, and scanning, and rescanning as and rescanning as needed for their needed for their GCE, GCS, and GKE instances Google Production and management
changes in network topology, firewall rule modifications, rescanning as needed for needed for their GCE, GCS, and GCE, GCS, and GKE instances and and applications. network systems.
product upgrades). their GCE, GCS, and GKE GKE instances and applications. applications. Google is also responsible for
instances and applications. GCP customers are responsible for all external scanning of Google managed API
Note: Multiple scan reports can be combined for the quarterly GCP customers are responsible GCP customers are responsible for vulnerability scanning for their GCE, GCS, and endpoints and Cloud Load Balancer IP
scan process to show that all systems were scanned and all GCP customers are for all external vulnerability all external vulnerability scanning GKE instances and applications. addresses.
applicable vulnerabilities have been addressed. Additional responsible for all external scanning for their GCE, GCS, and for their GCE, GCS, and GKE (Note: External vulnerability scans should only
documentation may be required to verify non-remediated vulnerability scanning for GKE instances and applications. instances and applications. include the customer endpoints, and not GCP
vulnerabilities are in the process of being addressed. their GCE, GCS, and GKE (Note: External vulnerability (Note: External vulnerability scans endpoints as they are tested as part of the GCP
instances and applications. scans should only include the should only include the customer compliance external vulnerability scans).
For initial PCI DSS compliance, it is not required that four (Note: External vulnerability customer endpoints, and not endpoints, and not GCP endpoints
quarters of passing scans be completed if the assessor scans should only include GCP endpoints as they are tested as they are tested as part of the
verifies 1) the most recent scan result was a passing scan, 2) the customer endpoints, and as part of the GCP compliance GCP compliance external
the entity has documented policies and procedures requiring not GCP endpoints as they external vulnerability scans). vulnerability scans).
quarterly scanning, and 3) vulnerabilities noted in the scan are tested as part of the GCP
results have been corrected as shown in a re-scan(s). For compliance external
subsequent years after the initial PCI DSS review, four vulnerability scans).
quarters of passing scans must have occurred.
11.2.1 Perform quarterly internal vulnerability scans, and x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google is responsible for conducting
rescans as needed, until all “high-risk” vulnerabilities (as responsible for all internal for all internal vulnerability all internal vulnerability scanning vulnerability scanning for their GCE, GCS, andquarterly internal vulnerability scans
identified in Requirement 6.1) are resolved. Scans must be vulnerability scanning for scanning for their GCE, GCS, and for their GCE, GCS, and GKE GKE instances and applications. on systems and the infrastructure
performed by qualified personnel. their GCE, GCS, and GKE GKE instances and applications. instances and applications. underlying GCP.
instances and applications. Google is also responsible for
scanning of Google managed API
endpoints and Cloud Load Balancer IP
addresses.
11.2.2 Perform quarterly external vulnerability scans, via an x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all external Google is responsible for conducting
Approved Scanning Vendor (ASV) approved by the Payment responsible for all external for all external vulnerability all external vulnerability scanning vulnerability scanning for their GCE, GCS, and quarterly external vulnerability scans
Card Industry Security Standards Council (PCI SSC). Perform vulnerability scanning for scanning for their GCE, GCS, and for their GCE, GCS, and GKE GKE instances and applications. on systems and the infrastructure
rescans as needed, until passing scans are achieved. their GCE, GCS, and GKE GKE instances and applications. instances and applications. (Note: External vulnerability scans should only underlying GCP.
instances and applications. (Note: External vulnerability (Note: External vulnerability scans include the customer endpoints, and not GCP Google is also responsible for
Note: Quarterly external vulnerability scans must be (Note: External vulnerability scans should only include the should only include the customer endpoints as they are tested as part of the GCP scanning of Google managed API
performed by an Approved Scanning Vendor (ASV), approved scans should only include customer endpoints, and not endpoints, and not GCP endpoints compliance external vulnerability scans). endpoints and Cloud Load Balancer IP
by the Payment Card Industry Security Standards Council (PCI the customer endpoints, and GCP endpoints as they are tested as they are tested as part of the addresses.
SSC). not GCP endpoints as they as part of the GCP compliance GCP compliance external
Refer to the ASV Program Guide published on the PCI SSC are tested as part of the GCP external vulnerability scans). vulnerability scans).
website for scan customer responsibilities, scan preparation, compliance external
etc. vulnerability scans).
11.2.3 Perform internal and external scans, and rescans as x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google is responsible for conducting
needed, after any significant change. Scans must be responsible for all internal for all internal vulnerability all internal vulnerability scanning, vulnerability scanning, and rescanning as quarterly internal and external
performed by qualified personnel. vulnerability scanning, and scanning, and rescanning as and rescanning as needed for their needed for their GCE, GCS, and GKE instances vulnerability scans on systems and
rescanning as needed for needed for their GCE, GCS, and GCE, GCS, and GKE instances and and applications. the infrastructure underlying GCP.
their GCE, GCS, and GKE GKE instances and applications. applications. Google is also responsible for
instances and applications. GCP customers are responsible for all external scanning of Google managed API
GCP customers are responsible GCP customers are responsible for vulnerability scanning for their GCE, GCS, and endpoints and Cloud Load Balancer IP
GCP customers are for all external vulnerability all external vulnerability scanning GKE instances and applications. addresses.
responsible for all external scanning for their GCE, GCS, and for their GCE, GCS, and GKE (Note: External vulnerability scans should only
vulnerability scanning for GKE instances and applications. instances and applications. include the customer endpoints, and not GCP
their GCE, GCS, and GKE (Note: External vulnerability (Note: External vulnerability scans endpoints as they are tested as part of the GCP

For more information, visit https://cloud.google.com/security/compliance/ August 2021 54

instances and applications. scans should only include the should only include the customer compliance external vulnerability scans).
(Note: External vulnerability customer endpoints, and not endpoints, and not GCP endpoints
scans should only include GCP endpoints as they are tested as they are tested as part of the
the customer endpoints, and as part of the GCP compliance GCP compliance external
not GCP endpoints as they external vulnerability scans). vulnerability scans).
are tested as part of the GCP
compliance external
vulnerability scans).
11.3 Implement a methodology for penetration testing that x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google is responsible for conducting
includes at least the following: responsible for all internal for all internal and external all internal and external and external penetration testing for their GCE, internal and external penetration
• Is based on industry-accepted penetration testing and external penetration penetration testing for their GCE, penetration testing for their GCE, GCS, and GKE instances and applications testing on systems and infrastructure
approaches (for example, NIST SP800-115). testing for their GCE, GCS, GCS, and GKE instances and GCS, and GKE instances and comprising their CDE. underlying GCP.
• Includes coverage for the entire CDE perimeter and critical and GKE instances and applications comprising their applications comprising their CDE. Google is also responsible for
systems. applications comprising their CDE. (Note: External penetration tests should include scanning of Google managed API
• Includes testing from both inside and outside of the CDE. (Note: External penetration tests customer endpoints only as GCP endpoints are endpoints and Cloud Load Balancer IP
network. (Note: External penetration tests should include customer included as part of its annual compliance, and addresses.
• Includes testing to validate any segmentation and scope (Note: External penetration should include customer endpoints only as GCP endpoints external penetration tests).
reduction controls. tests should include endpoints only as GCP endpoints are included as part of its annual
• Defines application-layer penetration tests to include, at a customer endpoints only as are included as part of its annual compliance, and external
minimum, the vulnerabilities listed in Requirement 6.5. GCP endpoints are included compliance, and external penetration tests).
• Defines network-layer penetration tests to include as part of its annual penetration tests).
components that support network functions as well as compliance, and external
operating systems. penetration tests).
• Includes review and consideration of threats and
vulnerabilities experienced in the last 12 months.
• Specifies retention of penetration testing results and
remediation activities results.
11.3.1 Perform external penetration testing at least annually x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all external Google is responsible for conducting
and after any significant infrastructure or application responsible for all external for all external penetration all external penetration testing for penetration testing for their GCE, GCS, and GKE external penetration testing on
upgrade or modification (such as an operating system penetration testing for their testing for their GCE, GCS, and their GCE, GCS, and GKE instances instances and applications comprising their systems and infrastructure underlying
upgrade, a sub-network added to the environment, or a web GCE, GCS, and GKE GKE instances and applications and applications comprising their CDE. GCP.
server added to the environment). instances and applications comprising their CDE. CDE. Google is also responsible for
comprising their CDE. (Note: External penetration tests should include scanning of Google managed API
(Note: External penetration tests (Note: External penetration tests customer endpoints only as GCP endpoints are endpoints and Cloud Load Balancer IP
(Note: External penetration should include customer should include customer included as part of its annual compliance, and addresses.
tests should include endpoints only as GCP endpoints endpoints only as GCP endpoints external penetration tests).
customer endpoints only as are included as part of its annual are included as part of its annual
GCP endpoints are included compliance, and external compliance, and external
as part of its annual penetration tests). penetration tests).
compliance, and external
penetration tests).
11.3.2 Perform internal penetration testing at least annually x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google is responsible for conducting
and after any significant infrastructure or application responsible for all internal for all internal penetration testing all internal penetration testing for penetration testing for their GCE, GCS, and GKE internal penetration testing on
upgrade or modification (such as an operating system penetration testing for their for their GCE, GCS, and GKE their GCE, GCS, and GKE instances instances and applications comprising their systems and infrastructure underlying
upgrade, a sub-network added to the environment, or a web GCE, GCS, and GKE instances and applications and applications comprising their CDE. GCP.
server added to the environment). instances and applications comprising their CDE. CDE.
comprising their CDE.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 55

11.3.3 Exploitable vulnerabilities found during penetration x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for all internal Google is responsible for conducting
testing are corrected and testing is repeated to verify the responsible for all internal for all internal and external all internal and external and external penetration testing for their GCE, internal and external penetration
corrections. and external penetration penetration testing for their GCE, penetration testing for their GCE, GCS, and GKE instances and applications testing on systems and infrastructure
testing for their GCE, GCS, GCS, and GKE instances and GCS, and GKE instances and comprising their CDE. underlying GCP.
and GKE instances and applications comprising their applications comprising their CDE.
applications comprising their CDE. (Note: External penetration tests should include
CDE. (Note: External penetration tests customer endpoints only as GCP endpoints are
(Note: External penetration tests should include customer included as part of its annual compliance, and
(Note: External penetration should include customer endpoints only as GCP endpoints external penetration tests).
tests should include endpoints only as GCP endpoints are included as part of its annual
customer endpoints only as are included as part of its annual compliance, and external
GCP endpoints are included compliance, and external penetration tests).
as part of its annual penetration tests).
compliance, and external
penetration tests).
11.3.4 If segmentation is used to isolate the CDE from other x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for confirming Google is responsible for conducting
networks, perform penetration tests at least annually and responsible for confirming for confirming PCI DSS scope by confirming PCI DSS scope by PCI DSS scope by performing penetration segmentation penetration testing on
after any changes to segmentation controls/methods to PCI DSS scope by performing penetration testing performing penetration testing on testing on segmentation controls at least every systems and infrastructure underlying
verify that the segmentation methods are operational and performing penetration on segmentation controls at segmentation controls at least six months and after any changes to GCP.
effective, and isolate all out-of-scope systems from systems testing on segmentation least every six months and after every six months and after any segmentation controls/methods for their GCE,
in the CDE. controls at least every six any changes to segmentation changes to segmentation GCS, and GKE instances and applications.
months and after any controls/methods for their GCE, controls/methods for their GCE,
changes to segmentation GCS, and GKE instances and GCS, and GKE instances and
controls/methods for their applications. applications.
GCE, GCS, and GKE
instances and applications.
11.3.4.1 Additional requirement for service providers only: If x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for confirming Google is responsible for conducting
segmentation is used, confirm PCI DSS scope by performing responsible for confirming for confirming PCI DSS scope by confirming PCI DSS scope by PCI DSS scope by performing penetration segmentation penetration testing on
penetration testing on segmentation controls at least every PCI DSS scope by performing penetration testing performing penetration testing on testing on segmentation controls at least every systems and infrastructure underlying
six months and after any changes to segmentation performing penetration on segmentation controls at segmentation controls at least six months and after any changes to GCP.
controls/methods. testing on segmentation least every six months and after every six months and after any segmentation controls/methods for their GCE,
controls at least every six any changes to segmentation changes to segmentation GCS, and GKE instances and applications.
months and after any controls/methods for their GCE, controls/methods for their GCE,
changes to segmentation GCS, and GKE instances and GCS, and GKE instances and
controls/methods for their applications. applications.
GCE, GCS, and GKE
instances and applications.
11.4 Use intrusion-detection and/or intrusion-prevention x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for Google is responsible for intrusion
techniques to detect and/or prevent intrusions into the responsible for for implementing IDS implementing IDS functionality, implementing IDS functionality, typically using detection of Google Cloud systems
network. Monitor all traffic at the perimeter of the cardholder implementing IDS functionality, typically using typically using Host-based IDS Host-based IDS (HIDS), for network segments and infrastructure underlying GCP in
data environment as well as at critical points in the functionality, typically using Host-based IDS (HIDS), for (HIDS), for network segments they they implement and manage. compliance with this requirement.
cardholder data environment, and alert personnel to Host-based IDS (HIDS), for network segments they implement and manage.
suspected compromises. network segments they implement and manage.
Keep all intrusion-detection and prevention engines, implement and manage.
baselines, and signatures up to date.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 56

11.5 Deploy a change-detection mechanism (for example, x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for file integrity Google is responsible for
file-integrity monitoring tools) to alert personnel to responsible for file integrity for file integrity monitoring for file integrity monitoring for their monitoring for their GCE, GCS, and GKE change-detection mechanisms on the
unauthorized modification (including changes, additions and monitoring for their GCE, their GCE, GCS, and GKE GCE, GCS, and GKE instances and instances and applications. systems and infrastructure underlying
deletions) of critical system files, configuration files, or GCS, and GKE instances and instances and applications. applications. GCP in compliance with this
content files; and configure the software to perform critical applications. requirement.
file comparisons at least weekly.

Note: For change-detection purposes, critical ﬁles are usually

those that do not regularly change, but the modification of
which could indicate a system compromise or risk of
compromise. Change-detection mechanisms such as
file-integrity monitoring products usually come pre-configured
with critical files for the related operating system. Other
critical files, such as those for custom applications, must be
evaluated and defined by the entity (that is, the merchant or
service provider).
11.5.1 Implement a process to respond to any alerts x x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for file integrity Google is responsible for
generated by the change-detection solution. responsible for file integrity for file integrity monitoring for file integrity monitoring for their monitoring for their GCE, GCS, and GKE change-detection mechanisms on the
monitoring for their GCE, their GCE, GCS, and GKE GCE, GCS, and GKE instances and instances and applications. systems and infrastructure underlying
GCS, and GKE instances and instances and applications. applications. GCP in compliance with this
applications. requirement.
11.6 Ensure that security policies and operational procedures x GCP customers are GCP customers are responsible GCP customers are responsible for GCP customers are responsible for ensuring Not Applicable
for security monitoring and testing are documented, in use, responsible for ensuring that for ensuring that their policies ensuring that their policies and that their policies and procedures are
and known to all affected parties. their policies and procedures and procedures are documented procedures are documented and documented and known to all affected parties.
are documented and known and known to all affected parties. known to all affected parties.
to all affected parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 57

Identity and Access

Cloud Identity
Identity and Access Management
Identity-Aware Proxy
Identity Platform
Managed Service for Microsoft Active
Directory
Policy Intelligence
Resource Manager
Titan Security Key

Requirement 12: Maintain a policy that addresses

information security for all personnel.
12.1 Establish, publish, maintain, and disseminate a security x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
policy. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.1.1 Review the security policy at least annually and x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
update the policy when the environment changes. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.2 Implement a risk-assessment process that: x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
- Is performed at least annually and upon signiﬁcant changes maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
to the environment (for example, acquisition, merger, applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
relocation, etc.), environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
- Identiﬁes critical assets, threats, and vulnerabilities, and with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
- Results in a formal, documented analysis of risk.

Examples of risk-assessment methodologies include but are

not limited to OCTAVE, ISO 27005 and NIST SP 800-30.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 58

12.3 Develop usage policies for critical technologies and x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
deﬁne proper use of these technologies. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
Note: Examples of critical technologies include, but are not environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
limited to, remote access and wireless technologies, laptops, with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
tablets, removable electronic media, e-mail usage and Internet
usage.

Ensure these usage policies require the following:

12.3.1 Explicit approval by authorized parties x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.2 Authentication for use of the technology x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.3 A list of all such devices and personnel with access x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.4 A method to accurately and readily determine owner, x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
contact information, and purpose (for example, labeling, maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
coding, and/or inventorying of devices) applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.5 Acceptable uses of the technology x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.6 Acceptable network locations for the technologies x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.7 List of company-approved products x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.8 Automatic disconnect of sessions for remote-access x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
technologies after a speciﬁc period of inactivity maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 59

12.3.9 Activation of remote-access technologies for vendors x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
and business partners only when needed by vendors and maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
business partners, with immediate deactivation after use applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.3.10 For personnel accessing cardholder data via x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
remote-access technologies, prohibit the copying, moving, maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
and storage of cardholder data onto local hard drives and applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
removable electronic media, unless explicitly authorized for a environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
defined business need. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
Where there is an authorized business need, the usage
policies must require the data be protected in accordance
with all applicable PCI DSS Requirements.
12.4 Ensure that the security policy and procedures clearly x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
define information security responsibilities for all personnel. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.4.1 Additional requirement for service providers only: x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
Executive management shall establish responsibility for the maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
protection of cardholder data and a PCI DSS compliance applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
program to include: environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
- Overall accountability for maintaining PCI DSS compliance
- Defining a charter for a PCI DSS compliance program and
communication to executive management
12.5 Assign to an individual or team the following x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
information security management responsibilities: maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.5.1 Establish, document, and distribute security policies x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
and procedures. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.5.2 Monitor and analyze security alerts and information, x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
and distribute to appropriate personnel. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.5.3 Establish, document, and distribute security incident x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
response and escalation procedures to ensure timely and maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
effective handling of all situations. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.5.4 Administer user accounts, including additions, x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
deletions, and modifications. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 60

12.5.5 Monitor and control all access to data. x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.6 Implement a formal security awareness program to x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
make all personnel aware of the importance of cardholder maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
data security policy and procedures. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.6.1 Educate personnel upon hire and at least annually. x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
Note: Methods can vary depending on the role of the applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
personnel and their level of access to the cardholder data. environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.

12.6.2 Require personnel to acknowledge at least annually x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
that they have read and understood the security policy and maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
procedures. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.7 Screen potential personnel prior to hire to minimize the x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
risk of attacks from internal sources. (Examples of maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
background checks include previous employment history, applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
criminal record, credit history, and reference checks.) environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
Note: For those potential personnel to be hired for certain
positions such as store cashiers who only have access to one
card number at a time when facilitating a transaction, this
requirement is a recommendation only.
12.8 Maintain and implement policies and procedures to x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
manage service providers with whom cardholder data is maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
shared, or that could affect the security of cardholder data, applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
as follows: environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.8.1 Maintain a list of service providers including a x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
description of the service provided. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.8.2 Maintain a written agreement that includes an x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
acknowledgement that the service providers are responsible maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
for the security of cardholder data the service providers applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
possess or otherwise store, process or transmit on behalf of environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
the customer, or to the extent that they could impact the with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
security of the customer’s cardholder data environment.

Note: The exact wording of an acknowledgement will depend

on the agreement between the two parties, the details of the
service being provided, and the responsibilities assigned to

For more information, visit https://cloud.google.com/security/compliance/ August 2021 61

each party. The acknowledgement does not have to include
the exact wording provided in this requirement.
12.8.3 Ensure there is an established process for engaging x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
service providers including proper due diligence prior to maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
engagement. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.8.4 Maintain a program to monitor service providers’ PCI x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
DSS compliance status at least annually. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.8.5 Maintain information about which PCI DSS x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
requirements are managed by each service provider, and maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
which are managed by the entity. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.9 Additional requirement for service providers only: x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
Service providers acknowledge in writing to customers that maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
they are responsible for the security of cardholder data the applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
service provider possesses or otherwise stores, processes, environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
or transmits on behalf of the customer, or to the extent that with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
they could impact the security of the customer’s cardholder
data environment.

Note: The exact wording of an acknowledgement will depend

on the agreement between the two parties, the details of the
service being provided, and the responsibilities assigned to
each party. The acknowledgement does not have to include
the exact wording provided in this requirement.
12.10 Implement an incident response plan. Be prepared to x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
respond immediately to a system breach. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.10.1 Create the incident response plan to be implemented x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
in the event of system breach. Ensure the plan addresses the maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
following, at a minimum: applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
- Roles, responsibilities, and communication and contact environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
strategies in the event of a compromise including with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
notiﬁcation of the payment brands, at a minimum
- Speciﬁc incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Coverage and responses of all critical system components
- Reference or inclusion of incident response procedures
from the payment brands.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 62

12.10.2 Review and test the plan, including all elements x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
listed in Requirement 12.10.1, at least annually. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.10.3 Designate specific personnel to be available on a x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
24/7 basis to respond to alerts. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.10.4 Provide appropriate training to staff with security x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
breach response responsibilities. maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.10.5 Include alerts from security monitoring systems, x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
including but not limited to intrusion-detection, maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
intrusion-prevention, firewalls, and file-integrity monitoring applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
systems. environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.10.6 Develop a process to modify and evolve the incident x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
response plan according to lessons learned and to maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
incorporate industry developments. applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
12.11 Additional requirement for service providers only: x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
Perform reviews at least quarterly to confirm personnel are maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
following applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
security policies and operational procedures. environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
Reviews must cover the following processes: with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
12.11.1 Additional requirement for service providers only: x GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to GCP customers are responsible to Not Applicable
Maintain documentation of quarterly review process to maintain policies and processes maintain policies and processes maintain policies and processes maintain policies and processes
include: applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data applicable to their cardholder data
- Documenting results of the reviews environment to maintain compliance environment to maintain compliance environment to maintain compliance environment to maintain compliance
- Review and sign-off of results by personnel assigned with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards. with the PCI Data Security Standards.
responsibility for the PCI DSS compliance program

For more information, visit https://cloud.google.com/security/compliance/ August 2021 63

Appendix

Additional Requirements for Entities using SSL/early TLS

Requirement PCI-DSS Requirement Additional Customer Responsibility

A2.1 Where POS POI terminals (and the SSL/TLS termination points to N/A no POS/POI devices in scope.
which they connect) use SSL and/or early TLS, the entity must
either:
Conﬁrm the devices are not susceptible to any known exploits for
those protocols.
Or:
Have a formal Risk Mitigation and Migration Plan in place.

A2.2 Entities with existing implementations (other than as allowed in GCP customers are responsible for complying with this requirement
A.2.1) that use SSL and/or early TLS must have a formal Risk for any virtual machines, applications, services or databases
Mitigation and Migration Plan in place. deployed by them on GCP.

A2.3 Additional Requirement for Service Providers Only: Google has implemented controls for secure administrative access
All service providers must provide a secure service offering by June for the Google production infrastructure underlying GCP
30, 2016.

GCP Customers are responsible for conﬁguring their apps hosted

on Google Cloud Platform such that it doesn't accept TLS1.0
requests from their app users.
Example: Connections between Customer Instances and End-User

GCP Customers wishing to disable 3DES or TLS 1.0 for web-based

access to the covered services will need to file a support case
referencing issue #73300651 and requesting 3DES or TLS 1.0 be
disabled for their managed accounts. Google will then apply a policy
to user accounts managed under the applicable GCP domain
preventing sign in when the user is on a connection using 3DES or
TLS 1.0.
Example: Connections between Customer administrators and
Google's Cloud Console

GCP customers are responsible for configuring their clients to

disallow connections via TLS 1.0
Example: Connections between Customer and their third-parties.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 64

Product Speciﬁc Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

Google App A2.3 Additional Requirement for Service Providers Only: GCP App Engine Customers can file a support
Engine All service providers must provide a secure service offering by June ticket to disable TLS 1.0 for their custom domain.
30, 2016. It is a customer responsibility to re-route HTTPS
requests from their *.appspot.com address to
their custom domain.

For more information, visit https://cloud.google.com/security/compliance/ August 2021 65

Google Cloud Platform an Architect's Guide
From Everand
Google Cloud Platform an Architect's Guide
alasdair gilchrist
5/5 (1)
Compliors Sample IT Policy For PCI DSS 1 PDF
No ratings yet
Compliors Sample IT Policy For PCI DSS 1 PDF
87 pages
CIS Google Cloud Platform Foundation Benchmark v1.3.0
No ratings yet
CIS Google Cloud Platform Foundation Benchmark v1.3.0
327 pages
Google Cloud Platform - Networking
From Everand
Google Cloud Platform - Networking
alasdair gilchrist
No ratings yet
FTNT Icon Library External July 2021
No ratings yet
FTNT Icon Library External July 2021
46 pages
RFP Bswan 2.0
100% (2)
RFP Bswan 2.0
229 pages
Matrix Cheat Sheet 5th Edition
88% (8)
Matrix Cheat Sheet 5th Edition
8 pages
GCP Pci SRM Apr 2019
No ratings yet
GCP Pci SRM Apr 2019
87 pages
PCI DSS Shared Responsibility GCP v31 PDF
No ratings yet
PCI DSS Shared Responsibility GCP v31 PDF
55 pages
Google Associate Cloud Engineer Exam Companion: Q&A with Explanations
From Everand
Google Associate Cloud Engineer Exam Companion: Q&A with Explanations
SUJAN
No ratings yet
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
From Everand
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
vivian njoroge
No ratings yet
Cloud Security Review (GCP-Template)
No ratings yet
Cloud Security Review (GCP-Template)
17 pages
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Gordon
No ratings yet
Mastering Google Cloud Platform: Navigating the Clouds
From Everand
Mastering Google Cloud Platform: Navigating the Clouds
Kameron Hussain
No ratings yet
Network Coding and Signcryption for Cloud Data Integrity
From Everand
Network Coding and Signcryption for Cloud Data Integrity
Noah Joan
No ratings yet
CCSP - Certified Cloud Security Professional Exam Insights
From Everand
CCSP - Certified Cloud Security Professional Exam Insights
SUJAN
No ratings yet
Mastering the Art of Cloud Computing with Google Cloud Platform: Unraveling the Secrets of Experts
From Everand
Mastering the Art of Cloud Computing with Google Cloud Platform: Unraveling the Secrets of Experts
Steve Jones
No ratings yet
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Adam Gordon
No ratings yet
Google Kubernetes Engine Essentials: Definitive Reference for Developers and Engineers
From Everand
Google Kubernetes Engine Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Cloud Cybersecurity: Essential Practices for Cloud Services
From Everand
Cloud Cybersecurity: Essential Practices for Cloud Services
Peter Jones
No ratings yet
AWS CodeCommit for Secure Source Control: Definitive Reference for Developers and Engineers
From Everand
AWS CodeCommit for Secure Source Control: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
GCP - (SPR-2024) GCP Pci DSS 4.0.
No ratings yet
GCP - (SPR-2024) GCP Pci DSS 4.0.
45 pages
CCSP - Certified Cloud Security Professional Exam Success
From Everand
CCSP - Certified Cloud Security Professional Exam Success
SUJAN
No ratings yet
Azure Cloud: Fundamentals to Architecture
From Everand
Azure Cloud: Fundamentals to Architecture
Alex Carvalho
No ratings yet
Deploying and Managing Applications with DigitalOcean: Definitive Reference for Developers and Engineers
From Everand
Deploying and Managing Applications with DigitalOcean: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Securing Cloud Applications: A Practical Compliance Guide
From Everand
Securing Cloud Applications: A Practical Compliance Guide
Peter Jones
No ratings yet
Google Cloud Run for DevOps: Automating Deployments and Scaling
From Everand
Google Cloud Run for DevOps: Automating Deployments and Scaling
Robert Johnson
No ratings yet
Hacking Android
From Everand
Hacking Android
Srinivasa Rao Kotipalli
4.5/5 (13)
Google Cloud Professional Cloud Architect 100+ Practice Exam questions with Detailed Answers
From Everand
Google Cloud Professional Cloud Architect 100+ Practice Exam questions with Detailed Answers
vivian njoroge
No ratings yet
A Comprehensive Guide to Cloud Infrastructure and Management: IT Books, #1
From Everand
A Comprehensive Guide to Cloud Infrastructure and Management: IT Books, #1
Mario Marinov
No ratings yet
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet
CISSP - Certified Information Systems Security Professional Exam Preparation Study Guide
From Everand
CISSP - Certified Information Systems Security Professional Exam Preparation Study Guide
Georgio Daccache
5/5 (1)
Google Cloud Data Engineer 100+ Practice Exam Questions With Well Explained Answers
From Everand
Google Cloud Data Engineer 100+ Practice Exam Questions With Well Explained Answers
vivian njoroge
No ratings yet
Cloud Computing Made Simple: Navigating the Cloud: A Practical Guide to Cloud Computing
From Everand
Cloud Computing Made Simple: Navigating the Cloud: A Practical Guide to Cloud Computing
Poonam Devi
No ratings yet
Docker, Containers And All The Rest: First Edition, #1
From Everand
Docker, Containers And All The Rest: First Edition, #1
Ami Adi
No ratings yet
Windows Server 2025 Deployment, Security, Backup and Disaster Recovery: IT Books, #1
From Everand
Windows Server 2025 Deployment, Security, Backup and Disaster Recovery: IT Books, #1
Mario Marinov
No ratings yet
Mastering GCP for Web Applications: A Well-Architected Approach to Cloud Excellence
From Everand
Mastering GCP for Web Applications: A Well-Architected Approach to Cloud Excellence
Chinmoy Mukherjee
No ratings yet
Azure Fundamentals Exam Insights
From Everand
Azure Fundamentals Exam Insights
PRIYANKA
No ratings yet
The Spring Cloud Handbook: Practical Solutions for Cloud-Native Architecture
From Everand
The Spring Cloud Handbook: Practical Solutions for Cloud-Native Architecture
Robert Johnson
No ratings yet
Google.selftestengine.professional Cloud Architect.study.guide.2024 Aug 20.by.michell.123q.vce
No ratings yet
Google.selftestengine.professional Cloud Architect.study.guide.2024 Aug 20.by.michell.123q.vce
19 pages
AWS CDK Essentials: A Beginner's Guide to Infrastructure as Code
From Everand
AWS CDK Essentials: A Beginner's Guide to Infrastructure as Code
Robert Johnson
No ratings yet
Efficient DevOps Automation with AWS CodeStar: Definitive Reference for Developers and Engineers
From Everand
Efficient DevOps Automation with AWS CodeStar: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Advanced Serverless Data Management: Harnessing Google Cloud Functions for Cutting-Edge Processing
From Everand
Advanced Serverless Data Management: Harnessing Google Cloud Functions for Cutting-Edge Processing
Adam Jones
No ratings yet
Cloud: Get All The Support And Guidance You Need To Be A Success At Using The CLOUD
From Everand
Cloud: Get All The Support And Guidance You Need To Be A Success At Using The CLOUD
John Hawkins
No ratings yet
Spring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architectures
From Everand
Spring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architectures
Badr Nasslahsen
No ratings yet
13v3 The Arrival Finally
No ratings yet
13v3 The Arrival Finally
4 pages
AWS Solutions Architect Certification Case Based Practice Questions Latest Edition 2023
From Everand
AWS Solutions Architect Certification Case Based Practice Questions Latest Edition 2023
Exam OG
No ratings yet
Data Management and Security in Blockchain Systems
From Everand
Data Management and Security in Blockchain Systems
Sonali Vyas
No ratings yet
CompTIA Cloud+ Study Guide: Exam CV0-003
From Everand
CompTIA Cloud+ Study Guide: Exam CV0-003
Ben Piper
No ratings yet
Navigating Azure: A Comprehensive Guide to Microsoft's Cloud Platform
From Everand
Navigating Azure: A Comprehensive Guide to Microsoft's Cloud Platform
Kameron Hussain
No ratings yet
Podman Essentials: Definitive Reference for Developers and Engineers
From Everand
Podman Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Cloud Controls Matrix (CCM) R1.1
No ratings yet
Cloud Controls Matrix (CCM) R1.1
17 pages
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
From Everand
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
Joe Brian
No ratings yet
Virtual Private Cloud Architecture and Deployment: Definitive Reference for Developers and Engineers
From Everand
Virtual Private Cloud Architecture and Deployment: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Architects of Assurance: Cloud Compliance for the C-Suite
From Everand
Architects of Assurance: Cloud Compliance for the C-Suite
Bhargav Kumar Konidena
No ratings yet
Windows Azure programming patterns for Start-ups
From Everand
Windows Azure programming patterns for Start-ups
Becker Riccardo
No ratings yet
Engineering Data Mesh in Azure Cloud: Implement data mesh using Microsoft Azure's Cloud Adoption Framework
From Everand
Engineering Data Mesh in Azure Cloud: Implement data mesh using Microsoft Azure's Cloud Adoption Framework
Aniruddha Deswandikar
No ratings yet
CRI-O Deep Dive: Definitive Reference for Developers and Engineers
From Everand
CRI-O Deep Dive: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
From Everand
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
CertSquad Professional Trainers
No ratings yet
AWS Greengrass for Edge Computing Solutions: Definitive Reference for Developers and Engineers
From Everand
AWS Greengrass for Edge Computing Solutions: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Practical pgAdmin Deployment and Administration: Definitive Reference for Developers and Engineers
From Everand
Practical pgAdmin Deployment and Administration: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Rekognition Programming Guide: Definitive Reference for Developers and Engineers
From Everand
Rekognition Programming Guide: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
CCSP Certified Cloud Security Professional A Step by Step Study Guide to Ace the Exam
From Everand
CCSP Certified Cloud Security Professional A Step by Step Study Guide to Ace the Exam
Jamie Murphy
No ratings yet
Meta Platforms Technologies Products Definition
No ratings yet
Meta Platforms Technologies Products Definition
5 pages
Law Enforcement Guidelines Outside Us
No ratings yet
Law Enforcement Guidelines Outside Us
16 pages
Model ISO TC Strategic Business Plan Template
No ratings yet
Model ISO TC Strategic Business Plan Template
11 pages
Cpsaat 49
No ratings yet
Cpsaat 49
2 pages
MCC (Null), MNC (Null) ) ","startTimestamp"-"2022-12-02T00-05-00Z","trialExperiments"-"2","trialRollouts"-"2 - Google Search
No ratings yet
MCC (Null), MNC (Null) ) ","startTimestamp"-"2022-12-02T00-05-00Z","trialExperiments"-"2","trialRollouts"-"2 - Google Search
1 page
Edexcel IAL IT Network Note
No ratings yet
Edexcel IAL IT Network Note
4 pages
Software Requirements Specification (SRS) Project Scalable Cruise Control #2
No ratings yet
Software Requirements Specification (SRS) Project Scalable Cruise Control #2
29 pages
A-Survey-on-Techniques-of-Secure-Live-Migration-of-Virtual-Machine
No ratings yet
A-Survey-on-Techniques-of-Secure-Live-Migration-of-Virtual-Machine
7 pages
FAQ EN Installing and Configuring The License Server
No ratings yet
FAQ EN Installing and Configuring The License Server
4 pages
Introduction, Networks Types, Topology
50% (2)
Introduction, Networks Types, Topology
50 pages
BSC Computer Science Cs Semester 5 2022 November Computer Networks II 2019 Pattern
No ratings yet
BSC Computer Science Cs Semester 5 2022 November Computer Networks II 2019 Pattern
2 pages
Block Teamviewer y Whatsapp
No ratings yet
Block Teamviewer y Whatsapp
4 pages
naukri.com_resume-editor_screenTitle=_
No ratings yet
naukri.com_resume-editor_screenTitle=_
3 pages
CISA Chapter 5 Practice
No ratings yet
CISA Chapter 5 Practice
66 pages
CS PPT-3
No ratings yet
CS PPT-3
27 pages
Contract Manager 12.0 Architecture Overview
No ratings yet
Contract Manager 12.0 Architecture Overview
16 pages
Lab 12 Configuring HIP For Global Protect
No ratings yet
Lab 12 Configuring HIP For Global Protect
35 pages
Dual Wan Routers: 1) Linksys LRT224-AP Dual WAN Gigabit VPN Router
No ratings yet
Dual Wan Routers: 1) Linksys LRT224-AP Dual WAN Gigabit VPN Router
7 pages
Pracitse Test 2
No ratings yet
Pracitse Test 2
11 pages
Paloalto Subinterface SOP
No ratings yet
Paloalto Subinterface SOP
13 pages
This Study Resource Was: Chapter 16-Network Security
No ratings yet
This Study Resource Was: Chapter 16-Network Security
6 pages
Sfos Softwareappliance sg010
No ratings yet
Sfos Softwareappliance sg010
10 pages
SBAG8704 B - SecureLink v3.2.4 - 2020 03 28 - 2 PDF
No ratings yet
SBAG8704 B - SecureLink v3.2.4 - 2020 03 28 - 2 PDF
17 pages
CLI Commands For Troubleshooting Palo Alto Firewalls
100% (1)
CLI Commands For Troubleshooting Palo Alto Firewalls
40 pages
CCDA
No ratings yet
CCDA
12 pages
Common Proxy Server and Firewall Issues With SOAP Web Services
100% (1)
Common Proxy Server and Firewall Issues With SOAP Web Services
4 pages
Automation and Orchestration: Technology Services
No ratings yet
Automation and Orchestration: Technology Services
2 pages
LAB - Footprinting and Recon
No ratings yet
LAB - Footprinting and Recon
6 pages
Lab 8: Firewalls - ASA Firewall Device: 8.1 Details
No ratings yet
Lab 8: Firewalls - ASA Firewall Device: 8.1 Details
24 pages
7.2 Feature Lab - Combined Labs 1 2
No ratings yet
7.2 Feature Lab - Combined Labs 1 2
90 pages
108M Wireless Router Guide
No ratings yet
108M Wireless Router Guide
42 pages
Datasheet c78 742469
No ratings yet
Datasheet c78 742469
7 pages