GCP Pci SRM Apr 2019

Google Cloud Platform: Shared Responsibility Matrix

April 2019

Introduction 3
Definitions 4
PCI DSS Responsibility Matrix 5

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data 5
Requirement 2: Do Not Use Vendor Supplied Defaults for System Passwords and Other Security 12
Requirement 3: Protect Stored Cardholder Data 15
Product Specific Customer Considerations 23
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks 26
Requirement 5: Protect all Systems Against Malware and Regularly Update Anti-Virus Software or Programs 28
Requirement 6: Develop and Maintain Secure Systems and Applications 31
Requirement 7: Restrict Access to Cardholders Data by Business Need to Know 39
Requirement 8: Identify and Authenticate Access to System Components 42
Requirement 9: Restrict Physical Access to Cardholder Data 50
Requirement 10: Track and Monitor all Access to Network Resources and Cardholder Data 56
Requirement 11: Regularly Test Security Systems and Processes 65
Requirement 12: Maintain Policy that Addresses Information Security for all Personnel 71
Appendix 82
Additional Requirements for Entities using SSL/early TLS 82

Google Cloud Platform 一 Shared Responsibility Matrix 一 December 2019 2/87

Introduction
Google Cloud Platform (GCP) was designed with security as a core design component. Google uses a variety of technologies and processes to
secure information stored on Google servers. Google has performed independent validation on Payment Card Industry Data Security Standard (PCI
DSS) requirements that apply to GCP technologies and infrastructure managed by Google. Google offers customers a great deal of control over
their instances running on Google’s infrastructure. Google does not control security on the operating system, packages or applications that are
deployed by customers on GCP. It is the customer’s responsibility to comply with the requirements of PCI DSS that relate to operating systems
packages and applications deployed by customer, or to customer’s configurations in multi-cloud or hybrid cloud models outside the GCP
boundary.

GCP adheres to the PCI DSS requirements set forth for a level 1 Service Provider. This document outlines each requirement that Google complies
with on behalf of customers that use GCP to deliver PCI-compliant products and services. If a requirement is not included in this document, that
indicates that GCP is not performing the requirement on behalf of its clients. With respect to the cloud hosting services which GCP delivers to its
customers, responsibility for the various requirements associated with PCI DSS varies. Some requirements are the sole responsibility of GCP,
some requirements are the sole responsibility of the customer, and some requirements are a shared responsibility between both parties. GCP’s
support for PCI DSS does not apply to customer’s activities outside the GCP boundary.
We recommend that customers reference the responsibility matrix in this document as they pursue PCI compliance and find it a useful tool when
conducting their own PCI audits.


Definitions

Term Description
Google The service provider
Google Cloud Platform (GCP) The requirement in question is the responsibility of, and implemented by, Google. A Qualified Security
responsibility Assessor has assessed and validated these requirements and found GCP to be compliant with PCI-DSS
v3.2.1. These requirements, which support the Customer’s PCI-DSS efforts but the Customer cannot manage
directly, are the sole responsibility of GCP
Customer responsibility The requirement in question is the responsibility of, and implemented by, the customer. These requirements
were not applicable to Google Cloud services as they are designed and these are the customer
responsibilities. Customers of GCP bear sole responsibility to meet their own PCI DSS compliance for these
requirements.

Shared responsibility Both the customer and Google are responsible for implementing parts of the requirement. A
Qualified
Security Assessor has assessed and validated these specific requirements and found GCP to be compliant
with PCI-DSS v3.2.1. However, Customers of GCP share some responsibility and must take action in order to
meet their own PCI DSS compliance for these requirements.

Service Provider The Service Provider, as defined by the requirement, is Google
POS Point of Sale
PCI DSS Payment Card Industry Data Security Standard


PCI DSS Responsibility Matrix

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Requirement Description GCP Customer
1.1 Establish and implement firewall and router configuration Google’s internal production network and GCP customers are responsible for
standards that include the following: systems have been assessed against and implementing the processes and
comply with this requirement. procedures necessary to ensure that all
network connections, inbound and
outbound traffic on any customer
instances deployed on GCP comply with
the requirements of section 1 of the PCI
DSS

1.1.1 A formal process for approving and testing all network Google’s internal production network and GCP customers are responsible for
connections and changes to the firewall and router systems have been assessed against and implementing the processes and
configurations. comply with this requirement. procedures necessary to ensure that all
DSS

1.1.2 Current diagram that identifies all networks, network devices, Google’s internal production network and GCP customers are responsible for
and system components, with all connections between the systems have been assessed against and implementing the processes and
CDE and other networks, including any wireless networks. comply with this requirement. procedures necessary to ensure that all



DSS

1.1.3 Current network diagram that shows all cardholder data flows Google’s internal production network and GCP customers are responsible for
across systems and networks. systems have been assessed against and implementing the processes and
DSS

1.1.4 Requirements for a firewall at each Internet connection and Firewalls that comply with this requirement GCP customers are responsible for
between any demilitarized zone (DMZ) and the internal have been implemented by Google to implementing the processes and
network zone. control access to the Google production procedures necessary to ensure that all
network and to GCP products and services network connections, inbound and
implemented by Google. outbound traffic on any customer
DSS

1.1.5 Description of groups, roles, and responsibilities for Google’s internal production network and GCP customers are responsible for
management of network components. systems have been assessed against and implementing the processes and
DSS


1.1.6 Documentation and business justification for use of all Firewalls that comply with this requirement GCP customers are responsible for
services, protocols, and ports allowed, including have been implemented by Google to implementing the processes and
documentation of security features implemented for those control access to the Google production procedures necessary to ensure that all
protocols considered to be insecure. network and to GCP products and services network connections, inbound and
Examples of insecure services, protocols, or ports include but implemented by Google. outbound traffic on any customer
are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and instances deployed on GCP comply with
v2. the requirements of section 1 of the PCI
DSS

1.1.7 Requirement to review firewall and router rule sets at least Firewalls that comply with this requirement GCP customers are responsible for
every six months. have been implemented by Google to implementing the processes and
control access to the Google production procedures necessary to ensure that all
network and to GCP products and services network connections, inbound and
implemented by Google. outbound traffic on any customer
DSS

1.2 Build firewall and router configurations that restrict

connections between untrusted networks and any system
components in the cardholder data environment.

1.2.1 Restrict inbound and outbound traffic to that which is Firewalls that comply with this requirement GCP customers are responsible for
necessary for the cardholder data environment, and have been implemented by Google to ensuring that firewalls that meet Section 1
specifically deny all other traffic. control access to the Google production requirements are implemented on inbound
network and to GCP products and services and outbound traffic, to and from any
implemented by Google. customer instances deployed on GCP meet
the requirements of Section 1 of the PCI
DSS. Refer to the Google Compute Engine


documentation for the capabilities provided

by GCP to the customer.

1.2.2 Secure and synchronize router configuration files. Google’s internal production network and GCP customers are responsible for
systems have been assessed against and ensuring that firewalls meeting Section 1
comply with this requirement. requirements are implemented on inbound
and outbound traffic, to and from any
customer instances deployed on GCP meet

1.2.3 Install perimeter firewalls between all wireless networks and Firewalls that comply with this requirement GCP customers are responsible for
the cardholder data environment, and configure these have been implemented by Google to ensuring that firewalls meeting Section 1
firewalls to deny or, if traffic is necessary for business control access to the Google production requirements are implemented on inbound
purposes, permit only authorized traffic between the wireless network and to GCP products and services and outbound traffic, to and from any
environment and the cardholder data environment. implemented by Google. customer instances deployed on GCP meet

1.3 Prohibit direct public access between the Internet and any
system component in the cardholder data environment.

1.3.1 Implement a DMZ to limit inbound traffic to only system Firewalls that comply with this requirement GCP customers are responsible for
components that provide authorized publicly accessible have been implemented by Google to ensuring that firewalls meeting Section 1
services, protocols, and ports. control access to the Google production requirements are implemented on inbound



1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. Firewalls that comply with this requirement GCP customers are responsible for
have been implemented by Google to ensuring that firewalls meeting Section 1
control access to the Google production requirements are implemented on inbound
DSS. Refer to the Google Cloud Platform
(GCP) firewall rules documentation for the
capabilities provided by GCP to the
customer.

1.3.3 Implement anti一spoofing measures to detect and block Firewalls that comply with this requirement GCP customers are responsible for
forged source IP addresses from entering the network. have been implemented by Google to ensuring that firewalls meeting Section 1
DSS.

1.3.4 Do not allow unauthorized outbound traffic from the Firewalls that comply with this requirement GCP customers are responsible for
cardholder data environment to the Internet. have been implemented by Google to ensuring that firewalls meeting Section 1



DSS.

1.3.5 Permit only “established” connections into the network. Firewalls that comply with this requirement GCP customers are responsible for
have been implemented by Google to ensuring that firewalls meeting Section 1
customer.

1.3.6 Place system components that store cardholder data (such as Firewalls that comply with this requirement GCP customers are responsible for
a database) in an internal network zone, segregated from the have been implemented by Google to ensuring that firewalls meeting Section 1
DMZ and other untrusted networks. control access to the Google production requirements are implemented on inbound
customer.

1.3.7 Do not disclose private IP addresses and routing information Google has PCI DSS compliance GCP customers are responsible for
to unauthorized parties. responsibility for dedicated internal Google ensuring that firewalls meeting Section 1
Note: Methods to obscure IP addressing may include, but are Production and management network requirements are implemented on inbound
not limited to: systems. For computer resources that are and outbound traffic, to and from any
● Network Address Translation (NAT). provided by Google to customers as part of customer instances deployed on GCP meet
a customer's GCP project, the PCI the requirements of Section 1 of the PCI


● Placing servers containing cardholder data behind compliance of those resources is the DSS. Refer to the Google Cloud Platform
proxy servers/firewalls . customer’s responsibility. (GCP) firewall rules documentation for the
● Removal or filtering of route advertisements for capabilities provided by GCP to the
private networks that employ registered addressing. customer.
● Internal use of RFC1918 address space instead of
registered addresses.

1.4 Install personal firewall software on any mobile and/or This requirement was determined as out of GCP customers are responsible for
employee owned devices that connect to the Internet when scope by the QSA for Google Cloud PCI ensuring that devices or systems that fall
outside the network (for example, laptops used by Assessment. within the scope of this requirement are
employees), and which are also used to access the network. compliant.

1.5 Ensure that security policies and operational procedures for This requirement was determined as out of GCP customers are responsible for
managing firewalls are documented, in use, and known to all scope by the QSA for Google Cloud PCI ensuring that devices or systems that fall
affected parties. Assessment. within the scope of this requirement are
compliant.


Requirement 2: Do Not Use Vendor Supplied Defaults for System Passwords and Other
Security

2.1 Always change vendor supplied defaults and remove or Google has PCI DSS compliance For computer resources that are provided
disable unnecessary default accounts before installing a responsibility for dedicated internal Google by Google to customers as part of a
system on the network. Production and management network customer's GCP project the PCI compliance
systems. of those resources is the customer’s
responsibility.

2.1.1 For wireless environments connected to the cardholder data No wireless networks are connected to the GCP customers are responsible for
environment or transmitting cardholder data, change ALL Cardholder Data Environment relating to complying with this requirement for any
wireless vendor defaults at installation, including but not GCP. wireless network that may fall within the
limited to default wireless encryption keys, passwords, and scope of their PCI DSS assessments.
SNMP community strings.

2.2 Develop configuration standards for all system components. Google has implemented configuration GCP customers are responsible for
Assure that these standards address all known security standards that comply with requirements in complying with this requirement for any
vulnerabilities and are consistent with industry- accepted section 2.2 for the infrastructure underlying virtual machines, applications, services or
system hardening standards. GCP products in scope for PCI. databases deployed by them on GCP.

2.2.1 Implement only one primary function per server to prevent Google has implemented configuration GCP customers are responsible for
functions that require different security levels from coexisting standards that comply with requirements in complying with this requirement for any
on the same server. (For example, web servers, database section 2.2 for the infrastructure underlying virtual machines, applications, services or
servers, and DNS should be implemented on separate GCP products in scope for PCI. databases deployed by them on GCP.
servers.)


2.2.2 Enable only necessary services, protocols, daemons, etc., as Google has implemented configuration GCP customers are responsible for
required for the function of the system. standards that comply with requirements in complying with this requirement for any
section 2.2 for the infrastructure underlying virtual machines, applications, services or
GCP products in scope for PCI. databases deployed by them on GCP.

2.2.3 Implement additional security features for any required Google has implemented configuration GCP customers are responsible for
services, protocols, or daemons that are considered to be standards that comply with requirements in complying with this requirement for any
insecure—for example, use secured technologies such as section 2.2 for the infrastructure underlying virtual machines, applications, services or
SSH, SFTP, TLS or IPSec VPN to protect insecure services GCP products in scope for PCI. databases deployed by them on GCP.
such as NetBIOS, file sharing, Telnet, FTP, etc.

2.2.4 Configure system security parameters to prevent misuse. Google has implemented configuration GCP customers are responsible for
standards that comply with requirements in complying with this requirement for any
section 2.2 for the infrastructure underlying virtual machines, applications, services or

2.2.5 Remove all unnecessary functionality, such as scripts, drivers, Google has implemented configuration GCP customers are responsible for
features, subsystems, file systems, and unnecessary web standards that comply with requirements in complying with this requirement for any
servers. section 2.2 for the infrastructure underlying virtual machines, applications, services or

2.3 Encrypt all non-console administrative access using strong Google has implemented controls for GCP customers are responsible for
cryptography. Use technologies such as SSH, VPN, or TLS secure administrative access for the complying with this requirement for any
for web-based management and other non-console Google production infrastructure underlying virtual machines, applications, services or
administrative access. GCP. databases deployed by them on GCP.


2.4 Maintain an inventory of system components that are in Google has implemented policies and GCP customers are responsible for
scope for PCI DSS. procedures that comply with requirements complying with this requirement for any
in section 2.4 for the infrastructure virtual machines, applications, services or
underlying GCP products in scope for PCI. databases deployed by them on GCP.

2.5 Ensure that security policies and operational procedures for Google has implemented policies and GCP customers are responsible for
managing vendor defaults and other security parameters are procedures that comply with requirements complying with this requirement for any
documented, in use, and known to all affected parties. in section 2.5 for the infrastructure virtual machines, applications, services or
underlying GCP products in scope for PCI. databases deployed by them on GCP.

2.6 Shared hosting providers must protect each entity’s hosted Compliance Covered in Appendix-A N/A
environment and cardholder data. These providers must Controls Section.
meet specific requirements as detailed in Appendix A:
Additional PCI DSS Requirements for Shared Hosting
Providers.


Requirement 3: Protect Stored Cardholder Data
3.1 Keep cardholder data storage to a minimum by implementing It is outside the the scope of Google’s PCI GCP customers are responsible for
data retention and disposal policies, procedures and assessment to comply with requirements meeting the requirements of section 3 for
processes that include at least the following for all of section 3 for cardholder data stored any cardholder data transmitted to or
cardholder data (CHD) storage: within any customer instances on GCP. stored within their instances, applications
● Limiting data storage amount and retention time to or databases on GCP.
that which is required for legal, regulatory, and
business requirements
● Processes for secure deletion of data when no longer
needed
● Specific retention requirements for cardholder data
● A quarterly process for identifying and securely
deleting stored cardholder data that exceeds defined
retention.

3.2 Do not store sensitive authentication data after authorization Google has PCI DSS compliance GCP customers are responsible for
(even if encrypted). If sensitive authentication data is responsibility for dedicated internal Google meeting the requirements of section 3 for
received, render all data unrecoverable upon completion of Production and management network any cardholder data transmitted to or
the authorization process. It is permissible for issuers and systems. stored within their instances, applications
companies that support issuing services to store sensitive or databases on GCP.
authentication data if: There is a business justification and For computer resources that are provided
The data is stored securely.
by Google to customers as part of a
customer's GCP project. the PCI
compliance of those resources is the
customer’s responsibility.


3.2.1 Do not store the full contents of any track (from the magnetic It is outside the the scope of Google’s PCI GCP customers are responsible for
stripe located on the back of a card, equivalent data contained assessment to comply with requirements meeting the requirements of section 3 for
on a chip, or elsewhere). This data is alternatively called full of section 3 for cardholder data stored any cardholder data transmitted to or
track, track, track 1, track 2, and magnetic stripe data. within any customer instances on GCP. stored within their instances, applications
or databases on GCP.

3.2.2 Do not store the card verification code or value (three-digit or It is outside the the scope of Google’s PCI GCP customers are responsible for
four-digit number printed on the front or back of a payment assessment to comply with requirements meeting the requirements of section 3 for
card) used to verify card not present transactions. of section 3 for cardholder data stored any cardholder data transmitted to or
within any customer instances on GCP. stored within their instances, applications

3.2.3 Do not store the personal identification number (PIN) or the It is outside the the scope of Google’s PCI GCP customers are responsible for
encrypted PIN block. assessment to comply with requirements meeting the requirements of section 3 for
of section 3 for cardholder data stored any cardholder data transmitted to or

3.3 Mask PAN when displayed (the first six and last four digits It is outside the the scope of Google’s PCI GCP customers are responsible for
are the maximum number of digits to be displayed), such that assessment to comply with requirements meeting the requirements of section 3 for
only personnel with a legitimate business need can see the of section 3 for cardholder data stored any cardholder data transmitted to or
full PAN. within any customer instances on GCP. stored within their instances, applications

3.4 Render PAN unreadable anywhere it is stored (including on It is outside the the scope of Google’s PCI GCP customers are responsible for
portable digital media, backup media, and in logs) by using assessment to comply with requirements meeting the requirements of section 3 for
any of the following approaches: of section 3 for cardholder data stored any cardholder data transmitted to or


● One way hashes based on strong cryptography (hash within any customer instances on GCP. stored within their instances, applications
must be of the entire PAN). or databases on GCP.
● Truncation (hashing cannot be used to replace the
truncated segment of PAN)
● Index tokens and pads (pads must be securely
stored)
● Strong cryptography with associated key
management processes and procedures.

3.4.1 If disk encryption is used (rather than file or column level It is outside the the scope of Google’s PCI GCP customers are responsible for
database encryption), logical access must be managed assessment to comply with requirements meeting the requirements of section 3 for
separately and independently of native operating system of section 3 for cardholder data stored any cardholder data transmitted to or
authentication and access control mechanisms (for example, within any customer instances on GCP. stored within their instances, applications
by not using local user account databases or general network or databases on GCP.
login credentials). Decryption keys must not be associated
with user accounts.

3.5 Document and implement procedures to protect keys used to For customers using Cloud Key GCP customers are responsible for
secure stored cardholder data against disclosure and Management System (KMS) or Cloud meeting the requirements of section 3 for
misuse. Hardware Security Module (HSM), Google any cardholder data transmitted to or
has PCI DSS compliance responsibility for stored within their instances, applications
dedicated internal Google Production and or databases on GCP.
management network systems. For
computer resources that are provided by
Google to customers as part of a
customer's GCP project, the PCI

3.5.1 Maintain a documented description of the cryptographic For customers using Cloud Key This is an additional requirement for
architecture that includes: Management System (KMS) or Cloud service providers only.


● Details of all algorithms, protocols, and keys used for Hardware Security Module (HSM), Google
the protection of cardholder data, including key has PCI DSS compliance responsibility for
strength and expiry date dedicated internal Google Production and
● Description of the key usage for each key. management network systems. For
● Inventory of any HSMs and other SCDs used for key computer resources that are provided by
management Google to customers as part of a

3.5.2 Restrict access to cryptographic keys to the fewest number of For customers using Cloud Key GCP customers are responsible for
custodians necessary. Management System (KMS) or Cloud meeting the requirements of section 3 for
Hardware Security Module (HSM), Google any cardholder data transmitted to or

3.5.3 Store secret and private keys used to encrypt/decrypt It is outside the the scope of Google’s PCI GCP customers are responsible for
cardholder data in one (or more) of the following forms at all assessment to comply with requirements meeting the requirements of section 3 for
times: of section 3 for cardholder data stored any cardholder data transmitted to or
● Encrypted with a key-encrypting key that is at least as
strong as the data-encrypting key, and that is stored
Cloud Key Management System (KMS) oe
separately from the data-encrypting key.
or Cloud Hardware Security Module (HSM)
● Within a secure cryptographic device (such as a
has PCI Compliant procedures. However
hardware/host security module (HSM) or
customers are responsible on how to use
PTS-approved point-of-interaction device).
Cloud KMS or Cloud HSM to protect
● As at least two full-length key components or key
cardholder data.


shares, in accordance with an industry-accepted

method.

3.5.4 Store cryptographic keys in the fewest possible locations. For customers using Cloud Key GCP customers are responsible for
Management System (KMS) or Cloud meeting the requirements of section 3 for
Hardware Security Module (HSM), Google any cardholder data transmitted to or

3.6 Fully document and implement all key management The Cloud Key Management System (KMS) GCP customers are responsible for
processes and procedures for cryptographic keys used for or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
encryption of cardholder data. service has internal key management any cardholder data transmitted to or
procedures that are validated to be PCI DSS stored within their instances, applications
compliant. Cloud KMS or Cloud HSM
customers are responsible for how they
choose to use this service to implement
their own PCI compliant encryption
systems.

For customers who choose not to use
Cloud KMS or Cloud HSM as part of their
cardholder data protection, this item is fully
a customer responsibility.


3.6.1 Generation of strong cryptographic keys. The Cloud Key Management System (KMS) GCP customers are responsible for
or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
service has internal key management any cardholder data transmitted to or
systems.


3.6.2 Secure cryptographic key distribution. The Cloud Key Management System (KMS) GCP customers are responsible for
systems.



3.6.3 Secure cryptographic key storage The Cloud Key Management System (KMS) GCP customers are responsible for
systems.


3.6.4 Cryptographic key changes for keys that have reached the end The Cloud Key Management System (KMS) GCP customers are responsible for
of their crypto-period (for example, after a defined period of or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
time has passed and/or after a certain amount of ciphertext service has internal key management any cardholder data transmitted to or
has been produced by a given key), as defined by the procedures that are validated to be PCI DSS stored within their instances, applications
associated application vendor or key owner, and based on or databases on GCP.
industry best practices and guidelines.
systems.



3.6.5 Retirement or replacement (for example, archiving, The Cloud Key Management System (KMS) GCP customers are responsible for
destruction, and/or revocation) of keys as deemed necessary or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
when the integrity of the key has been weakened (for example, service has internal key management any cardholder data transmitted to or
departure of an employee with knowledge of a clear text key procedures that are validated to be PCI DSS stored within their instances, applications
component), or keys are suspected of being compromised. or databases on GCP.
systems.


3.6.6 If manual clear text cryptographic key management Google does not use clear text GCP customers are responsible for
operations are used, these operations must be managed cryptographic key management. This is a meeting the requirements of section 3 for
using split knowledge and dual control. customer responsibility. any cardholder data transmitted to or
stored within their instances, applications
Note: Examples of manual key management operations or databases on GCP.
include, but are not limited to: key generation, transmission,
loading, storage and destruction.

3.6.7 Prevention of unauthorized substitution of cryptographic keys. The Cloud Key Management System (KMS) GCP customers are responsible for



systems.


3.6.8 Requirement for cryptographic key custodians to formally The Cloud Key Management System (KMS) GCP customers are responsible for
acknowledge that they understand and accept their key or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
custodian responsibilities. service has internal key management any cardholder data transmitted to or
systems.


3.7 Ensure that security policies and operational procedures for The Cloud Key Management System (KMS) GCP customers are responsible for
protecting stored cardholder data are documented, in use, or Cloud Hardware Security Module (HSM) meeting the requirements of section 3 for
and known to all affected parties. service has internal key management any cardholder data transmitted to or



systems.

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility
Stackdriver 3.1 Keep cardholder data storage to a minimum by implementing data GCP customers are responsible for not using
Trace retention and disposal policies, procedures and processes that sensitive cardholder data while using the trace
include at least the following for all cardholder data (CHD) storage: functionalities in Stackdriver Trace product.
● Limiting data storage amount and retention time to that
which is required for legal, regulatory, and business
requirements
needed
● A quarterly process for identifying and securely deleting
stored cardholder data that exceeds defined retention.

Stackdriver 3.2 Do not store sensitive authentication data after authorization (even GCP customers are responsible for not using
Trace if encrypted). If sensitive authentication data is received, render all sensitive cardholder data while using the trace
data unrecoverable upon completion of the authorization process. functionalities in Stackdriver Trace product.
It is permissible for issuers and companies that support issuing


services to store sensitive authentication data if: There is a

business justification and The data is stored securely.

Cloud SQL 3.2 Do not store sensitive authentication data after authorization (even Encryption of cardholder data in the Cloud SQL
if encrypted). If sensitive authentication data is received, render all system either at rest or in transmit is the
data unrecoverable upon completion of the authorization process. responsibility of Cloud SQL customer.
It is permissible for issuers and companies that support issuing
services to store sensitive authentication data if: There is a
business justification and The data is stored securely.

Cloud SQL 3.4 Render PAN unreadable anywhere it is stored (including on portable Encryption of cardholder data in the Cloud SQL
digital media, backup media, and in logs) by using any of the system either at rest or in transmit is the
following approaches: responsibility of Cloud SQL customer.
● One way hashes based on strong cryptographic, (hash
must be of the entire PAN)
● Truncation (hashing cannot be used to replace the
truncated segment of PAN)
● Index tokens and pads (pads must be securely stored)
● Strong cryptography with associated key management
processes and procedures.

Cloud SQL 3.5 Document and implement procedures to protect keys used to Encryption of cardholder data in the Cloud SQL
secure stored cardholder data against disclosure and misuse. system either at rest or in transmit is the
& responsibility of Cloud SQL customer.

Cloud Key Customers should ensure that Cloud Key
Management Management System (KMS) or Cloud Hardware
System (KMS) Security Module (HSM) is configured as per the
PCI DSS requirements in section 3.5
OR Cloud
Hardware


Security
Module (HSM)

Cloud SQL 3.6 Fully document and implement all key management processes and Encryption of cardholder data in the Cloud SQL
procedures for cryptographic keys used for encryption of system either at rest or in transmit is the
& cardholder data. responsibility of Cloud SQL customer.

Cloud Key Customers should ensure that Cloud Key
Management Management System (KMS) or Cloud Hardware
System (KMS) Security Module (HSM) is configured as per the
PCI DSS requirements in section 3.5
OR
Cloud
Hardware
Security
Module (HSM)
Product Specific Considerations for Google

Product Requirement PCI-DSS Requirement Additional Google Responsibility
Transfer 3.1 Keep cardholder data storage to a minimum by implementing data Google is responsible for ensuring that the data
Appliance retention and disposal policies, procedures and processes that in the appliance is securely wiped.
include at least the following for all cardholder data (CHD) storage:
● Limiting data storage amount and retention time to that
which is required for legal, regulatory, and business
requirements
needed


● A quarterly process for identifying and securely deleting

stored cardholder data that exceeds defined retention


Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

4.1 Use strong cryptography and security protocols (for example, Google has implemented configuration GCP customers are responsible for
TLS, IPSEC, SSH, etc.) to standards that comply with requirements in ensuring that appropriate security
safeguard sensitive cardholder data during transmission section 4.1 for the infrastructure underlying protocols, in compliance with section 4, are
over open, public networks, including the following: GCP products in scope for PCI. implemented for all transmissions of
● Only trusted keys and certificates are accepted cardholder data over public networks into

● The protocol in use only supports secure versions or GCP.
configurations For all Google Cloud Service API endpoints,
● The encryption strength is appropriate for the such as translate.googleapis.com, Customers are also responsible for any
encryption methodology in use speech.googleapis.com, transmission of CHD over public networks
www.googleapis.com/storage and similar, that they initiate in their own software
customers are responsible for using web within Google Cloud Platform.
browsers and client endpoints that do not
support TLS1.0 or ciphers that are weaker
than AES128.

4.1.1 Ensure wireless networks transmitting cardholder data or Any transmission of Cardholder Data over GCP customers are responsible for
connected to the cardholder data environment, use industry wireless networks is Customer ensuring that appropriate security
best practices (for example, IEEE 802.11i) to implement responsibility. protocols, in compliance with section 4, are
strong encryption for authentication and transmission. implemented for all transmissions of
cardholder data over public networks into
GCP.

4.2 Never send unprotected PANs by end user messaging Google has implemented configuration GCP customers are responsible for
technologies (for example, email, instant messaging, chat, standards that comply with requirements in ensuring that appropriate security


etc.). section 4.2 for the infrastructure underlying protocols, in compliance with section 4, are
GCP products in scope for PCI. implemented for all transmissions of
GCP.

4.3 Ensure that security policies and operational procedures for Google has implemented configuration GCP customers are responsible for
encrypting transmissions of cardholder data are standards that comply with requirements in ensuring that appropriate security
documented, in use, and known to all affected parties. section 4.3 for the infrastructure underlying protocols, in compliance with section 4, are
GCP products in scope for PCI. implemented for all transmissions of
GCP.

Cloud SQL 4.1 Use strong cryptography and security protocols (for example, TLS, Encryption of cardholder data in the Cloud SQL
IPSEC, SSH, etc.) to system either at rest or in transmit is the
safeguard sensitive cardholder data during transmission over open, responsibility of Cloud SQL customer.
public networks, including the following:
● only trusted keys and certificates are accepted.
● the protocol in use only supports secure versions or
configurations.
● the encryption strength is appropriate for the encryption
methodology in use.


Requirement 5: Protect all Systems Against Malware and Regularly Update Anti-Virus
Software or Programs

5.1 Deploy antivirus software on all systems commonly affected Google is responsible for the GCP customers are responsible for
by malicious software (particularly personal computers and implementation of malware protection in implementing malware protection on any
servers). the underlying GCP infrastructure in customer deployed instances within GCP in
compliance with section 5 requirements. compliance with section 5 requirements.

Google is not responsible for the
implementation of malware protection
within any customer deployed instances on
GCP.

5.1.1 Ensure that antivirus programs are capable of detecting, Google is responsible for the GCP customers are responsible for
removing, and protecting against all known types of malicious implementation of malware protection in implementing malware protection on any
software. the underlying GCP infrastructure in customer deployed instances within GCP in

Google is not responsible for the
GCP.

5.1.2 For systems considered to be not commonly affected by Google is responsible for the GCP customers are responsible for
malicious software, perform periodic evaluations to identify implementation of malware protection in implementing malware protection on any
and evaluate evolving malware threats in order to confirm the underlying GCP infrastructure in customer deployed instances within GCP in
whether such systems continue to not require anti-virus compliance with section 5 requirements. compliance with section 5 requirements.
software.


Google i s not responsible for the

GCP.

5.2 Ensure that all antivirus mechanisms are maintained as Google is responsible for the GCP customers are responsible for
follows: implementation of malware protection in implementing malware protection on any
● Are kept current the underlying GCP infrastructure in customer deployed instances within GCP in
● Perform periodic scans compliance with section 5 requirements. compliance with section 5 requirements.
● Generate audit logs which are retained per PCI DSS
Requirement 10.7. Google i s not responsible for the
GCP.

5.3 Ensure that antivirus mechanisms are actively running and Google is responsible for the GCP customers are responsible for
cannot be disabled or altered by users, unless specifically implementation of malware protection in implementing malware protection on any
authorized by management on a case-by-case basis for a the underlying GCP infrastructure in customer deployed instances within GCP in
limited time period. compliance with section 5 requirements. compliance with section 5 requirements.

GCP.

5.4 Ensure that security policies and operational procedures for Google is responsible for the GCP customers are responsible for
protecting systems against malware are documented, in use, implementation of malware protection in implementing malware protection on any
and known to all affected parties. the underlying GCP infrastructure in customer deployed instances within GCP in




GCP.


Requirement 6: Develop and Maintain Secure Systems and Applications

6.1 Establish a process to identify security vulnerabilities, using Google is responsible for protecting the GCP customers are responsible for
reputable outside sources for security vulnerability systems and infrastructure underlying GCP protecting customer deployed instances
information, and assign a risk ranking (for example, as from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
“high,” “medium,” or “low”) to newly discovered security requirements in section 6. compliance with section 6 requirements.
vulnerabilities.

6.2 Ensure that all system components and software are Google is responsible for protecting the GCP customers are responsible for
protected from known vulnerabilities by installing applicable systems and infrastructure underlying GCP protecting customer deployed instances
vendor supplied security patches. Install critical security from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
patches within one month of release. requirements in section 6. compliance with section 6 requirements.

6.3 Develop internal and external software applications (including Google is responsible for protecting the GCP customers are responsible for
web based administrative access to applications) securely, as systems and infrastructure underlying GCP protecting customer deployed instances
follows: from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
● In accordance with PCI DSS (for example, secure requirements in section 6. compliance with section 6 requirements.
authentication and logging)
● Based on industry standards and/or best practices
● Incorporating information security throughout the
software- development life cycle

6.3.1 Remove development, test and/or custom application Google is responsible for protecting the GCP customers are responsible for
accounts, user IDs, and passwords before applications systems and infrastructure underlying GCP protecting customer deployed instances
become active or are released to customers. from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
requirements in section 6. compliance with section 6 requirements.


6.3.2 Review custom code prior to release to production or Google is responsible for protecting the GCP customers are responsible for
customers in order to identify any potential coding systems and infrastructure underlying GCP protecting customer deployed instances
vulnerability (using either manual or automated processes). from vulnerabilities in compliance with the and software on GCP from vulnerabilities in

6.4 Follow change control processes and procedures for all

changes to system components. The processes must include
the following:

6.4.1 Separate development/test environments from production Google is responsible for protecting the GCP customers are responsible for
environments, and enforce the separation with access systems and infrastructure underlying GCP protecting customer deployed instances
controls. from vulnerabilities in compliance with the and software on GCP from vulnerabilities in

6.4.2 Separation of duties between development/test and Google is responsible for protecting the GCP customers are responsible for
production environments. systems and infrastructure underlying GCP protecting customer deployed instances
from vulnerabilities in compliance with the and software on GCP from vulnerabilities in

6.4.3 Production data (live PANs) are not used for testing or Google is responsible for protecting the GCP customers are responsible for
development. systems and infrastructure underlying GCP protecting customer deployed instances

6.4.4 Removal of test data and accounts before production Google is responsible for protecting the GCP customers are responsible for


systems become active. systems and infrastructure underlying GCP protecting customer deployed instances

6.4.5 Change control procedures for the implementation of security

patches and software modifications must include the
following:

6.4.5.1 Documentation of impact. Google is responsible for protecting the GCP customers are responsible for
systems and infrastructure underlying GCP protecting customer deployed instances

6.4.5.2 Documented change approval by authorized parties. Google is responsible for protecting the GCP customers are responsible for

6.4.5.3 Functionality testing to verify that the change does not Google is responsible for protecting the GCP customers are responsible for
adversely impact the security of the system. systems and infrastructure underlying GCP protecting customer deployed instances

6.4.5.4 Back-out procedures. Google is responsible for protecting the GCP customers are responsible for


6.4.6 Upon completion of a significant change, all relevant PCI DSS Google has PCI DSS compliance For computer resources that are provided
requirements must be implemented on all new or changed responsibility for dedicated internal Google by Google to customers as part of a
systems and networks, and documentation updated as Production and management network customer's GCP project, the PCI
applicable. systems. compliance of those resources is the

6.5 Address common coding vulnerabilities in software- Google is responsible for protecting the GCP customers are responsible for
development processes as follows: systems and infrastructure underlying GCP protecting customer deployed instances
● Train developers in secure coding techniques, from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
including how to avoid common coding requirements in section 6. compliance with section 6 requirements.
vulnerabilities, and understanding how sensitive data
is handled in memory.
● Develop applications based on secure coding
guidelines.

6.5.1 Injection flaws, particularly SQL injection. Also consider OS Google is responsible for protecting the GCP customers are responsible for
Command Injection, LDAP and XPath injection flaws as well systems and infrastructure underlying GCP protecting customer deployed instances
as other injection flaws. from vulnerabilities in compliance with the and software on GCP from vulnerabilities in

6.5.2 Buffer overflows. Google is responsible for protecting the GCP customers are responsible for

6.5.3 Insecure cryptographic storage. Google is responsible for protecting the GCP customers are responsible for




6.5.4 Insecure communications. Google is responsible for protecting the GCP customers are responsible for

6.5.5 Improper error handling. Google is responsible for protecting the GCP customers are responsible for

6.5.6 All “high risk” vulnerabilities identified in the vulnerability Google is responsible for protecting the GCP customers are responsible for
identification process (as defined in PCI DSS Requirement systems and infrastructure underlying GCP protecting customer deployed instances
6.1). from vulnerabilities in compliance with the and software on GCP from vulnerabilities in

6.5.7 Cross-site scripting (XSS). Google is responsible for protecting the GCP customers are responsible for

6.5.8 Improper access control (such as insecure direct object Google is responsible for protecting the GCP customers are responsible for
references, failure to restrict URL access, directory traversal, systems and infrastructure underlying GCP protecting customer deployed instances
and failure to restrict user access to functions). from vulnerabilities in compliance with the and software on GCP from vulnerabilities in



6.5.9 Cross-site request forgery (CSRF). Google is responsible for protecting the GCP customers are responsible for

6.5.10 Broken authentication and session management Note: Google is responsible for protecting the GCP customers are responsible for
Requirement systems and infrastructure underlying GCP protecting customer deployed instances
6.5.10 is a best practice until June 30, 2015, after which it from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
becomes a requirement. requirements in section 6. compliance with section 6 requirements.

6.6 For public facing web applications, address new threats and Google is responsible for protecting the GCP customers are responsible for
vulnerabilities on an ongoing basis and ensure these systems and infrastructure underlying GCP protecting customer deployed instances
applications are protected against known attacks by either of from vulnerabilities in compliance with the and software on GCP from vulnerabilities in
the following methods: requirements in section 6. compliance with section 6 requirements.
● Reviewing public facing web applications via manual
or automated application vulnerability security
assessment tools or methods, at least annually and
after any changes (Note: This assessment is not the
same as the vulnerability scans performed for
Requirement 11.2)
● Installing an automated technical solution that
detects and prevents web based attacks (for
example, a web application firewall) in front of
public facing web applications, to continually check
all traffic

6.7 Ensure that security policies and operational procedures for Google is responsible for protecting the GCP customers are responsible for


developing and maintaining secure systems and applications systems and infrastructure underlying GCP protecting customer deployed instances
are documented, in use, and known to all affected parties. from vulnerabilities in compliance with the and software on GCP from vulnerabilities in


Cloud Dataproc 6.3 Develop internal and external software applications (including web Customers are responsible for re-imaging their
based administrative access to applications) securely, as follows: environments.
6.3.1
● in accordance with PCI DSS (for example, secure
6.3.2 authentication and logging)
● based on industry standards and/or best practices

● incorporating information security throughout the
Container 6.3 Develop internal and external software applications (including web Customers should use only pre-built images (
Engine based administrative access to applications) securely, as follows: Container-Optimized Google Compute Engine
6.3.1
● in accordance with PCI DSS (for example, secure Images)
6.3.2 authentication and logging)
● based on industry standards and/or best practices

● incorporating information security throughout the
Container 6.4 Follow change control processes and procedures for all changes to GCP customers are responsible for all updated
Builder system components. (i.e. non Google pre-built) GCP instances being
6.4.1
used.
6.4.2
6.4.3


6.4.4
6.4.5
6.4.6


Requirement 7: Restrict Access to Cardholders Data by Business Need to Know

7.1 Limit access to system components and cardholder data to Google is responsible for implementing GCP customers are responsible for
only those individuals whose job requires such access. access controls in compliance with the implementing access controls on customer
requirements of sections 7 and 8 for the instances and applications in compliance
systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.

7.1.1 Define access needs for each role, including: Google is responsible for implementing GCP customers are responsible for
● System components and data resources that each access controls in compliance with the implementing access controls on customer
role needs to access for their job function requirements of sections 7 and 8 for the instances and applications in compliance
● Level of privilege required (for example, user, systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
administrator, etc.) for accessing resources.

7.1.2 Restrict access to privileged user IDs to least privileges Google is responsible for implementing GCP customers are responsible for
necessary to perform job responsibilities. access controls in compliance with the implementing access controls on customer

7.1.3 Assign access based on individual personnel’s job Google is responsible for implementing GCP customers are responsible for
classification and function. access controls in compliance with the implementing access controls on customer

7.1.4 Require documented approval by authorized parties Google is responsible for implementing GCP customers are responsible for
specifying required privileges. access controls in compliance with the implementing access controls on customer




7.2 Establish an access control system for systems components Google is responsible for implementing GCP customers are responsible for
that restricts access based on a user’s need to know, and is access controls in compliance with the implementing access controls on
set to “deny all” unless specifically allowed. requirements of sections 7 and 8 for the customer instances and applications in
This access control system must include the following: systems and infrastructure underlying compliance with the requirements of
GCP. sections 7 and 8.

7.2.1 Coverage of all system components. Google is responsible for implementing GCP customers are responsible for
access controls in compliance with the implementing access controls on customer

7.2.2 Assignment of privileges to individuals based on job Google is responsible for implementing GCP customers are responsible for
classification and function. access controls in compliance with the implementing access controls on customer

7.2.3 Default “deny all” setting. Google is responsible for implementing GCP customers are responsible for

7.3 Ensure that security policies and operational procedures for Google is responsible for implementing GCP customers are responsible for
restricting access to cardholder data are documented, in use, access controls in compliance with the implementing access controls on
and known to all affected parties. requirements of sections 7 and 8 for the customer instances and applications in


systems and infrastructure underlying compliance with the requirements of



Cloud SQL 7.1 Limit access to system components and cardholder data to only Cloud SQL customers are responsible for mySQL
those individuals whose job requires such access. user access management.

Cloud SQL 7.3 Ensure that security policies and operational procedures for Cloud SQL customers are responsible for mySQL
restricting access to cardholder data are documented, in use, and user access management.
known to all affected parties.


Requirement 8: Identify and Authenticate Access to System Components

8.1 Define and implement policies and procedures to ensure Google is responsible for implementing GCP customers are responsible for
proper user identification management for non-consumer access controls in compliance with the implementing access controls on
users and administrators on all system components as requirements of sections 7 and 8 for the customer instances and applications in
follows: systems and infrastructure underlying compliance with the requirements of

8.1.1 Assign all users a unique ID before allowing them to access Google is responsible for implementing GCP customers are responsible for
system components or cardholder data. access controls in compliance with the implementing access controls on customer

8.1.2 Control addition, deletion, and modification of user IDs, Google is responsible for implementing GCP customers are responsible for
credentials, and other identifier objects. access controls in compliance with the implementing access controls on customer

8.1.3 Immediately revoke access for any terminated users. Google is responsible for implementing GCP customers are responsible for

8.1.4 Remove/disable inactive user accounts at least every 90 days. Google is responsible for implementing GCP customers are responsible for




8.1.5 Manage IDs used by vendors to access, support, or maintain Google is responsible for implementing GCP customers are responsible for
system components via remote access as follows: access controls in compliance with the implementing access controls on customer
● Enabled only during the time period needed and requirements of sections 7 and 8 for the instances and applications in compliance
disabled when not in use. systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
● Monitored when in use.

8.1.6 Limit repeated access attempts by locking out the user ID Google is responsible for implementing GCP customers are responsible for
after not more than six attempts. access controls in compliance with the implementing access controls on customer

Additionally, Google is responsible for
reviewing internal processes and
customer/user documentation, and
observing implemented processes to verify
that non-consumer customer user
accounts are temporarily locked-out after
not more than six invalid access attempts.

8.1.6.b is a customer responsibility.

8.1.7 Set the lockout duration to a minimum of 30 minutes or until Google is responsible for implementing GCP customers are responsible for
an administrator enables the user ID. access controls in compliance with the implementing access controls on customer


8.1.8 If a session has been idle for more than 15 minutes, require Google is responsible for implementing GCP customers are responsible for
the user to re-authenticate to re-activate the terminal or access controls in compliance with the implementing access controls on customer
session. requirements of sections 7 and 8 for the instances and applications in compliance

8.2 In addition to assigning a unique ID, ensure proper user Google is responsible for implementing GCP customers are responsible for
authentication management for non-consumer users and access controls in compliance with the implementing access controls on customer
administrators on all system components by employing at requirements of sections 7 and 8 for the instances and applications in compliance
least one of the following methods to authenticate all users: systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
● Something you know, such as a password or
passphrase.
● Something you have, such as a token device or smart
card.
● Something you are, such as a biometric.

8.2.1 Using strong cryptography, render all authentication Google is responsible for implementing GCP customers are responsible for
credentials (such as passwords/phrases) unreadable during access controls in compliance with the implementing access controls on customer
transmission and storage on all system components. requirements of sections 7 and 8 for the instances and applications in compliance

8.2.2 Verify user identity before modifying any authentication Google is responsible for implementing GCP customers are responsible for
credential—for example, performing password resets, access controls in compliance with the implementing access controls on customer
provisioning new tokens, or generating new keys. requirements of sections 7 and 8 for the instances and applications in compliance


8.2.3 Passwords/phrases must meet the following: Google is responsible for implementing GCP customers are responsible for
● Require a minimum length of at least seven access controls in compliance with the implementing access controls on customer
characters. requirements of sections 7 and 8 for the instances and applications in compliance
● Contain both numeric and alphabetic characters. systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
● Alternatively, the passwords/phrases must have
complexity and strength at least equivalent to the 8.2.3.b is customer responsibility
parameters specified above.

8.2.4 Change user passwords/passphrases at least every 90 days. Google is responsible for implementing GCP customers are responsible for

8.2.4.b is customer responsibility.

8.2.5 Do not allow an individual to submit a new password/phrase Google is responsible for implementing GCP customers are responsible for
that is the same as any of the last four passwords/phrases he access controls in compliance with the implementing access controls on customer
or she has used. requirements of sections 7 and 8 for the instances and applications in compliance

8.2.5.b is customer responsibility.

8.2.6 Set passwords/phrases for first time use and upon reset to a Google is responsible for implementing GCP customers are responsible for
unique value for each user, and change immediately after the access controls in compliance with the implementing access controls on customer
first use. requirements of sections 7 and 8 for the instances and applications in compliance

8.3 Secure all individual non-console administrative access and Google is responsible for implementing GCP customers are responsible for


all remote access to the CDE using multi-factor access controls in compliance with the implementing access controls on customer
authentication. requirements of sections 7 and 8 for the instances and applications in compliance

8.3.1 Incorporate multi-factor authentication for all non-console Google is responsible for implementing GCP customers are responsible for
access into the CDE for personnel with administrative access. access controls in compliance with the implementing access controls on customer

8.3.2 Incorporate multi-factor authentication for all remote network Google is responsible for implementing GCP customers are responsible for
access (both user and administrator, and including third party access controls in compliance with the implementing access controls on customer
access for support or maintenance) originating from outside requirements of sections 7 and 8 for the instances and applications in compliance
the entity’s network. systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.

8.4 Document and communicate authentication procedures and Google is responsible for implementing GCP customers are responsible for
policies to all users including: access controls in compliance with the implementing access controls on customer
● Guidance on selecting strong authentication requirements of sections 7 and 8 for the instances and applications in compliance
credentials. systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
● Guidance for how users should protect their
authentication credentials.
● Instructions not to reuse previously used passwords.
● Instructions to change passwords if there is any
suspicion the password could be compromised.

8.5 Do not use group, shared, or generic IDs, passwords, or other Google is responsible for implementing GCP customers are responsible for
authentication methods as follows: access controls in compliance with the implementing access controls on customer
● Generic user IDs are disabled or removed requirements of sections 7 and 8 for the instances and applications in compliance
● Shared user IDs do not exist for system systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
administration and other critical functions


● Shared and generic user IDs are not used to

administer any system components

8.5.1 Additional requirement for service providers: Service providers Google does not have remote access to its GCP customers are responsible for
with remote access to customer premises (for example, for customer’s premises. implementing access controls on customer
support of POS systems or servers) must use a unique instances and applications in compliance
authentication credential (such as a password/phrase) for with the requirements of sections 7 and 8.
each customer.

8.6 Where other authentication mechanisms are used (for Google is responsible for implementing GCP customers are responsible for
example, physical or logical security tokens, smart cards, access controls in compliance with the implementing access controls on customer
certificates, etc.), use of these mechanisms must be requirements of sections 7 and 8 for the instances and applications in compliance
assigned as follows: systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
● Authentication mechanisms must be assigned to an
individual account and not shared among multiple
accounts.
● Physical and/or logical controls must be in place to
ensure only the intended account can use that
mechanism to gain access.

8.7 All access to any database containing cardholder data Google is responsible for implementing GCP customers are responsible for
(including access by applications, administrators, and all access controls in compliance with the implementing access controls on customer
other users) is restricted as follows: requirements of sections 7 and 8 for the instances and applications in compliance
● All user access to, user queries of, and user actions systems and infrastructure underlying GCP. with the requirements of sections 7 and 8.
on databases are through programmatic methods.
● Only database administrators have the ability to Database administration is customer
directly access or query databases. responsibility.
● Application IDs for database applications can only be
used by the applications (and not by individual users
or other non-application processes).


8.8 Ensure that security policies and operational procedures for Google is responsible for implementing GCP customers are responsible for
identification and authentication are documented, in use, and access controls in compliance with the implementing access controls on customer
known to all affected parties. requirements of sections 7 and 8 for the instances and applications in compliance

Deployment 8.1 Define and implement policies and procedures to ensure proper Customers are responsible for management
Manager user identification management for non-consumer users and (including revocation, termination, suspension
administrators on all system components. etc.) of generic / robot accounts.

Cloud SQL 8.1 Define and implement policies and procedures to ensure proper Cloud SQL customers are responsible for mySQL
user identification management for non-consumer users and user access management.
administrators on all system components.

Cloud SQL 8.3 Secure all individual non-console administrative access and all Cloud SQL customers are responsible for mySQL
remote access to the CDE using multi-factor authentication. user access management.

Cloud SQL 8.6 Where other authentication mechanisms are used (for example, Cloud SQL customers are responsible for mySQL
physical or logical security tokens, smart cards, certificates, etc.), user access management.
use of these mechanisms must be assigned as follows:
● authentication mechanisms must be assigned to an


individual account and not shared among multiple

accounts.
● physical and/or logical controls must be in place to ensure
only the intended account can use that mechanism to gain
access.

Transfer 8.6 Where other authentication mechanisms are used (for example, GCP Customers are responsible for safeguarding
Appliance physical or logical security tokens, smart cards, certificates, etc.), the passphrase that generates the temporary
use of these mechanisms must be assigned as follows: encryption key in the appliance to encrypt the
● authentication mechanisms must be assigned to an data and decryption key to decrypt data in the
individual account and not shared among multiple accounts. GCP final bucket
● physical and/or logical controls must be in place to ensure
only the intended account can use that mechanism to gain
access.

Cloud SQL 8.7 All access to any database containing cardholder data (including Cloud SQL customers are responsible for mySQL
access by applications, administrators, and all other users) is user access management.
restricted as follows:
● all user access to, user queries of, and user actions on
databases are through programmatic methods.
● only database administrators have the ability to directly
access or query databases.
● application IDs for database applications can only be used
by the applications (and not by individual users or other
non-application processes).


Requirement 9: Restrict Physical Access to Cardholder Data

9.1 Use appropriate facility entry controls to limit and monitor Google is responsible for physical security N/A
physical access to systems in the cardholder data controls on all Google Data centers
environment. underlying GCP.

9.1.1 Use video cameras and/or access control mechanisms to Google is responsible for physical security N/A
monitor individual physical access to sensitive areas. Review controls on all Google Data centers
collected data and correlate with other entries. Store for at underlying GCP.
least three months, unless otherwise restricted by law. Note:
“Sensitive areas” refers to any data center, server room or any
area that houses systems that store, process, or transmit
cardholder data. This excludes public-facing areas where only
point-of-sale terminals are present, such as the cashier areas
in a retail store.

9.1.2 Implement physical and/or logical controls to restrict access Google is responsible for physical security N/A
to publicly accessible network jacks. controls on all Google Data centers
underlying GCP.

9.1.3 Restrict physical access to wireless access points, gateways, Google is responsible for physical security N/A
handheld devices, networking/communications hardware, and controls on all Google Data centers
telecommunication lines. underlying GCP.

9.2 Develop procedures to easily distinguish between onsite Google is responsible for physical security N/A


personnel and visitors, to include: controls on all Google Data centers

● Identifying new onsite personnel or visitors (for underlying GCP.
example, assigning badges).
● Changes to access requirements.
● Revoking or terminating onsite personnel and
expired visitor identification (such as ID badges).

9.3 Control physical access for onsite personnel to the sensitive Google is responsible for physical security N/A
areas as follows: controls on all Google Data centers
● Access must be authorized and based on individual underlying GCP.
job function.
● Access is revoked immediately upon termination,
and all physical access mechanisms, such as keys,
access cards, etc., are returned or disabled.

9.4 Implement procedures to identify and authorize visitors. Google is responsible for physical security N/A
Procedures should include the following: controls on all Google Data centers
underlying GCP.

9.4.1 Visitors are authorized before entering, and escorted at all Google is responsible for physical security N/A
times within, areas where cardholder data is processed or controls on all Google Data centers
maintained. underlying GCP.

9.4.2 Visitors are identified and given a badge or other identification Google is responsible for physical security N/A
that expires and that visibly distinguishes the visitors from controls on all Google Data centers
onsite personnel. underlying GCP.


9.4.3 Visitors are asked to surrender the badge or identification Google is responsible for physical security N/A
before leaving the facility or at the date of expiration. controls on all Google Data centers
underlying GCP.

9.4.4 A visitor log is used to maintain a physical audit trail of visitor Google is responsible for physical security N/A
activity to the facility as well as computer rooms and data controls on all Google Data centers
centers where cardholder data is stored or transmitted. underlying GCP.
Document the visitor’s name, the firm represented, and the
onsite personnel authorizing physical access on the log.
Retain this log for a minimum of three months, unless
otherwise restricted by law.

9.5 Physically secure all media. Google is responsible for physical security GCP customers are responsible for the
controls on all Google Data centers security of any backups that are stored
underlying GCP, in addition to any backups outside of GCP.
that are performed and maintained by
Google.

9.5.1 Store media backups in a secure location, preferably an Google is responsible for physical security GCP customers are responsible for the
off-site facility, such as an alternate or backup site, or a controls on all Google Data centers security of any backups that are stored
commercial storage facility. Review the location’s security at underlying GCP, in addition to any backups outside of GCP.
least annually. that are performed and maintained by
Google.

9.6 Maintain strict control over the internal or external Google is responsible for physical security GCP customers are responsible for the
distribution of any kind of media, including the following: controls on all Google Data centers security of any backups that are stored
Google.


9.6.1 Classify media so the sensitivity of the data can be Google is responsible for physical security GCP customers are responsible for the
determined. controls on all Google Data centers security of any backups that are stored
Google.

9.6.2 Send the media by secured courier or other delivery method Google is responsible for physical security GCP customers are responsible for the
that can be accurately tracked. controls on all Google Data centers security of any backups that are stored
Google.

9.6.3 Ensure management approves any and all media that is Google is responsible for physical security GCP customers are responsible for the
moved from a secured area (including when media is controls on all Google Data centers security of any backups that are stored
distributed to individuals). underlying GCP, in addition to any backups outside of GCP.
Google.

9.7 Maintain strict control over the storage and accessibility of Google is responsible for physical security GCP customers are responsible for the
media. controls on all Google Data centers security of any backups that are stored
Google.

9.7.1 Properly maintain inventory logs of all media and conduct Google is responsible for physical security GCP customers are responsible for the
media inventories at least annually. controls on all Google Data centers security of any backups that are stored



Google.

9.8 Destroy media when it is no longer needed for business or Google is responsible for physical security GCP customers are responsible for the
legal reasons as follows: controls on all Google Data centers security of any backups that are stored
Google.

9.8.1 Shred, incinerate, or pulp hard- copy materials so that Google is responsible for physical security GCP customers are responsible for the
cardholder data cannot be reconstructed. Secure storage controls on all Google Data centers security of any backups that are stored
containers used for materials that are to be destroyed. underlying GCP, in addition to any backups outside of GCP.
Google.

9.8.2 Render cardholder data on electronic media unrecoverable so Google is responsible for physical security GCP customers are responsible for the
that cardholder data cannot be reconstructed. controls on all Google Data centers security of any backups that are stored
Google.

9.9 Protect devices that capture payment card data via direct Google is responsible for physical security Google Cloud Platform has no POS
physical interaction with the card from tampering and controls on all Google Data centers devices. Any POS devices that the
substitution. underlying GCP. customer integrates with GCP are
customer responsibility.

9.9.1 Maintain an up-to-date list of devices. The list should include Google is responsible for physical security Google Cloud Platform has no POS


the following: controls on all Google Data centers devices. Any POS devices that the
● Make, model of device. underlying GCP. customer integrates with GCP are
● Location of device (for example, the address of the customer responsibility.
site or facility where the device is located).
● Device serial number or other method of unique
identification.

9.9.2 Periodically inspect device surfaces to detect tampering (for Google is responsible for physical security Google Cloud Platform has no POS
example, addition of card skimmers to devices), or controls on all Google Data centers devices. Any POS devices that the
substitution (for example, by checking the serial number or underlying GCP. customer integrates with GCP are
other device characteristics to verify it has not been swapped customer responsibility.
with a fraudulent device).

9.9.3 Provide training for personnel to be aware of attempted Google does not provide POS POI terminals Google Cloud Platform has no POS
tampering or replacement of devices. as part of its GCP infrastructure. devices. Any POS devices that the
customer integrates with GCP are
customer responsibility.

9.10 Ensure that security policies and operational procedures for Google is responsible for physical security GCP customers are responsible for
restricting physical access to cardholder data are controls on all Google Data centers developing and maintaining security
documented, in use, and known to all affected parties. underlying GCP. policies and operational procedures to
comply with this requirement.



Cloud 9.1.2 Implement physical and/or logical controls to restrict access to GCP Customers are responsible for physical and
Interconnect publicly accessible network jacks. logical controls for their own, non-GCP, network
and/or colocation facilities.

9.1.3 Restrict physical access to wireless access points, gateways, GCP Customers are responsible for physical
handheld devices, networking/communications hardware, and security controls on all network devices in
telecommunication lines. on-premise and/ or colocation facilities.

Transfer 9.9.3 Provide training for personnel to be aware of attempted tampering or GCP Customers are responsible for ensuring
Appliance replacement of devices. tamper-evident seal is intact on the device when
they receive the appliance and ship it back to
Google. GCP Customer should reach out to
Google at data-support@google.com if there is
anything wrong with the shipment.

9.5 Physically secure all media. GCP Customers are responsible for meeting the
physical security requirements of Section 9 while
the devices are in their care.


Requirement 10: Track and Monitor all Access to Network Resources and Cardholder Data

10.1 Implement audit trails to link all access to system Google has PCI DSS compliance For computer resources that are provided
components to each individual user. responsibility for dedicated internal Google by Google to customers as part of a
Production and management network customer's GCP project, the PCI
systems. compliance of those resources is the

10.2 Implement automated audit trails for all system components

to reconstruct the following events:

10.2.1 All individual user accesses to cardholder data. Google is responsible for controlling GCP customers are responsible for
access, logging and monitoring of the controlling access, logging and monitoring
systems and infrastructure underlying GCP on all customer deployed instances on GCP
in compliance with the requirements of in compliance with the requirements of
section 10. section 10.

10.2.2 All actions taken by any individual with root or administrative Google is responsible for controlling GCP customers are responsible for
privileges. access, logging and monitoring of the controlling access, logging and monitoring

10.2.3 Access to all audit trails. Google is responsible for controlling GCP customers are responsible for



10.2.4 Invalid logical access attempts. Google is responsible for controlling GCP customers are responsible for

10.2.5 Use of and changes to identification and authentication Google is responsible for controlling GCP customers are responsible for
mechanisms—including but not limited to creation of new access, logging and monitoring of the controlling access, logging and monitoring
accounts and elevation of privileges—and all changes, systems and infrastructure underlying GCP on all customer deployed instances on GCP
additions, or deletions to accounts with root or administrative in compliance with the requirements of in compliance with the requirements of
privileges. section 10. section 10.

10.2.6 Initialization, stopping, or pausing of the audit logs. Google is responsible for controlling GCP customers are responsible for

10.2.7 Creation and deletion of system-level objects. Google is responsible for controlling GCP customers are responsible for


10.3 Record at least the following audit trail entries for all system
components for each event:

10.3.1 User identification. Google is responsible for controlling GCP customers are responsible for

10.3.2 Type of event. Google is responsible for controlling GCP customers are responsible for

10.3.3 Date and time. Google is responsible for controlling GCP customers are responsible for

10.3.4 Success or failure indication. Google is responsible for controlling GCP customers are responsible for



10.3.5 Origination of event. Google is responsible for controlling GCP customers are responsible for

10.3.6 Identity or name of affected data, system component, or Google is responsible for controlling GCP customers are responsible for
resource. access, logging and monitoring of the controlling access, logging and monitoring

10.4 Using time-synchronization technology, synchronize all Google is responsible for controlling GCP customers are responsible for
critical system clocks and times and ensure that the access, logging and monitoring of the controlling access, logging and monitoring
following is implemented for acquiring, distributing, and systems and infrastructure underlying GCP on all customer deployed instances on GCP
storing time. in compliance with the requirements of in compliance with the requirements of

10.4.1 Critical systems have the correct and consistent time. Google is responsible for controlling GCP customers are responsible for

10.4.2 Time data is protected. Google is responsible for controlling GCP customers are responsible for



10.4.3 Time settings are received from industry accepted time Google is responsible for controlling GCP customers are responsible for
sources. access, logging and monitoring of the controlling access, logging and monitoring

10.5 Secure audit trails so they cannot be altered. Google is responsible for controlling GCP customers are responsible for

10.5.1 Limit viewing of audit trails to those with a job-related need. Google is responsible for controlling GCP customers are responsible for

10.5.2 Protect audit trail files from unauthorized modifications. Google is responsible for controlling GCP customers are responsible for


10.5.3 Promptly back up audit trail files to a centralized log server or Google is responsible for controlling GCP customers are responsible for
media that is difficult to alter. access, logging and monitoring of the controlling access, logging and monitoring

10.5.4 Write logs for external-facing technologies onto a secure, Google is responsible for controlling GCP customers are responsible for
centralized, internal log server or media device. access, logging and monitoring of the controlling access, logging and monitoring

10.5.5 Use file integrity monitoring or change-detection software on Google is responsible for controlling GCP customers are responsible for
logs to ensure that existing log data cannot be changed access, logging and monitoring of the controlling access, logging and monitoring
without generating alerts (although new data being added systems and infrastructure underlying GCP on all customer deployed instances on GCP
should not cause an alert). in compliance with the requirements of in compliance with the requirements of

10.6 Review logs and security events for all system components Google is responsible for controlling GCP customers are responsible for
to identify anomalies or suspicious activity. access, logging and monitoring of the controlling access, logging and monitoring
Note: Log harvesting, parsing, and alerting tools may be used systems and infrastructure underlying GCP on all customer deployed instances on GCP
to meet this Requirement. in compliance with the requirements of in compliance with the requirements of

10.6.1 Review the following at least daily: Google is responsible for controlling GCP customers are responsible for
● All security events. access, logging and monitoring of the controlling access, logging and monitoring
● Logs of all system components that store, process, or systems and infrastructure underlying GCP on all customer deployed instances on GCP


transmit CHD and/or SAD, or that could impact the in compliance with the requirements of in compliance with the requirements of
security of CHD and/or SAD. section 10. section 10.
● Logs of all critical system components.
● Logs of all servers and system components that
perform security functions (for example, firewalls,
intrusion-detection systems/intrusion-prevention
systems (IDS/IPS) authentication servers,
e-commerce redirection servers, etc.).

10.6.2 Review logs of all other system components periodically Google is responsible for controlling GCP customers are responsible for
based on the organization’s policies and risk management access, logging and monitoring of the controlling access, logging and monitoring
strategy, as determined by the organization’s annual risk systems and infrastructure underlying GCP on all customer deployed instances on GCP
assessment. in compliance with the requirements of in compliance with the requirements of

10.6.3 Follow up exceptions and anomalies identified during the Google is responsible for controlling GCP customers are responsible for
review process. access, logging and monitoring of the controlling access, logging and monitoring

10.7 Retain audit trail history for at least one year, with a Google is responsible for controlling GCP customers are responsible for
minimum of three months immediately available for analysis access, logging and monitoring of the controlling access, logging and monitoring
(for example, online, archived, or restorable from backup). systems and infrastructure underlying GCP on all customer deployed instances on GCP


10.8 Implement a process for the timely detection and reporting Google is responsible for controlling GCP customers are responsible for
of failures of critical security control systems, including but access, logging and monitoring of the controlling access, logging and monitoring
not limited to failure of: systems and infrastructure underlying GCP on all customer deployed instances on GCP
● Firewalls in compliance with the requirements of in compliance with the requirements of
● IDS/IPS section 10. section 10.
● FIM
● Anti-virus
● Physical access controls
● Logical access controls
● Audit logging mechanisms
● Segmentation controls (if used)

10.8.1 Respond to failures of any critical security controls in a timely Google is responsible for controlling GCP customers are responsible for
manner. Processes for responding to failures in security access, logging and monitoring of the controlling access, logging and monitoring
controls must include: systems and infrastructure underlying GCP on all customer deployed instances on GCP
● Restoring security functions . in compliance with the requirements of in compliance with the requirements of
● Identifying and documenting the duration (date and section 10. section 10.
time start to end) of the security failure .
● Identifying and documenting cause(s) of failure,
including root cause, and documenting remediation
required to address root cause .
● Identifying and addressing any security issues that
arose during the failure
● Performing a risk assessment to determine whether
further actions are required as a result of the security
failure .
● Implementing controls to prevent cause of failure
from reoccurring .
● Resuming monitoring of security controls .

10.9 Ensure that security policies and operational procedures for Google is responsible for controlling GCP customers are responsible for
monitoring all access to network resources and cardholder access, logging and monitoring of the controlling access, logging and monitoring
data are documented, in use, and known to all affected systems and infrastructure underlying GCP on all customer deployed instances on GCP


parties. in compliance with the requirements of in compliance with the requirements of

Cloud SQL 10.2 Implement automated audit trails for all system components to Cloud SQL customers are responsible for mySQL
reconstruct the following events: user access management.
● 10.2.1 : All individual user accesses to cardholder data.
● 10.2.3 : Access to all audit trails
● 10.2.4 : Invalid logical access attempts

Stackdriver 10.3 Record at least the following audit trail entries for all system Customers are required to manage date/time
Logging components for each event: stamp and network time synchronization for the
Stackdriver Logging instances used.
● 10.3.3 - Date and time

Stackdriver 10.7 Retain audit trail history for at least one year, with a minimum of Customers are required to ensure audit log
Logging three months immediately available for analysis (for example, retention period for 365 days or more (with a
online, archived, or restorable from backup). minimum of three months immediately available
online) in accordance with their policies.


Requirement 11: Regularly Test Security Systems and Processes

11.1 Implement processes to test for the presence of wireless Google is responsible for checking for the GCP customers are responsible for
access points (802.11), and detect and identify all authorized presence of unauthorized wireless access checking for the presence of unauthorized
and unauthorized wireless access points on a quarterly points and similar technologies within its wireless access points and similar
basis. own physical environment and in scope technologies within the customer’s own
networks. physical environment and in scope
networks.

11.1.1 Maintain an inventory of authorized wireless access points Google is responsible for checking for the GCP customers are responsible for
including a documented business justification. presence of unauthorized wireless access checking for the presence of unauthorized
points and similar technologies within its wireless access points and similar
own physical environment and in scope technologies within the customer’s own
networks. physical environment and in scope
networks

11.1.2 Implement incident response procedures in the event Google is responsible for its own incident GCP customers are responsible for their
unauthorized wireless access points are detected. response procedures for its environment. own incident response procedures.

11.2 Run internal and external network vulnerability scans at least Google has PCI DSS compliance For computer resources that are provided
quarterly and after any significant change in the network responsibility for dedicated internal Google by Google to customers as part of a
(such as new system component installations, changes in Production and management network customer's GCP project, the PCI
network topology, firewall rule modifications, product systems. compliance of those resources is the
upgrades). customer’s responsibility.
Google is also responsible for scanning of
Google managed API endpoints and Cloud External IP addresses assigned to
Load Balancer IP addresses. customer virtual machines are the


customer’s responsibility for vulnerability

scanning, irrespective of whether those
systems serve content through a Google
managed IP address through Cloud Load
Balancer.

11.2.1 Perform quarterly internal vulnerability scans and rescans as Google is responsible for vulnerability GCP customers are responsible for
needed, until all “high-risk” vulnerabilities (as identified in scans, penetration tests and testing for performing vulnerability scans and
Requirement 6.1) are resolved. unauthorized wireless access points on the penetration tests on customer deployed
Scans must be performed by qualified personnel. systems and infrastructure underlying GCP instances on GCP in compliance with the
in compliance with the requirements of requirements of section 11.
section 11.

11.2.2 Perform quarterly external vulnerability scans, via an Google is responsible for vulnerability GCP customers are responsible for
Approved Scanning Vendor (ASV) approved by the Payment scans, penetration tests and testing for performing vulnerability scans and
Card Industry Security Standards Council (PCI SSC). Perform unauthorized wireless access points on the penetration tests on customer deployed
rescans as needed, until passing scans are achieved. systems and infrastructure underlying GCP instances on GCP in compliance with the
section 11.
Google is also responsible for scanning of External IP addresses assigned to
Google managed API endpoints and Cloud customer virtual machines are the
Load Balancer IP addresses. customer’s responsibility for vulnerability
scanning irrespective of whether those
systems serve content through a Google
managed IP address through Cloud Load
Balancer.

11.2.3 Perform internal and external scans, and rescans as needed, Google is responsible for vulnerability GCP customers are responsible for
after any significant change. Scans must be performed by scans, penetration tests and testing for performing vulnerability scans and
qualified personnel. unauthorized wireless access points on the penetration tests on customer deployed
systems and infrastructure underlying GCP instances on GCP in compliance with the



section 11.

11.3 Implement a methodology for penetration testing that Google has PCI DSS compliance For computer resources that are provided
includes the following: responsibility for dedicated internal Google by Google to customers as part of a
● Is based on industry-accepted penetration testing Production and management network customer's GCP project. the PCI
approaches (for example, NIST SP800-115). systems. compliance of those resources is the
● Includes coverage for the entire CDE perimeter and customer’s responsibility.
critical systems.
● Includes testing from both inside and outside the
network.
● Includes testing to validate any segmentation and
scope-reduction controls.
● Defines application-layer penetration tests to
include, at a minimum, the vulnerabilities listed in
Requirement 6.5.
● Defines network-layer penetration tests to include
components that support network functions as well
as operating systems.
● Includes review and consideration of threats and
vulnerabilities experienced in the last 12 months
● Specifies retention of penetration testing results and
remediation activities results.

11.3.1 Perform external penetration testing at least annually and Google is responsible for vulnerability GCP customers are responsible for
after any significant infrastructure or application upgrade or scans, penetration tests and testing for performing vulnerability scans and
modification (such as an operating system upgrade, a unauthorized wireless access points on the penetration tests on customer deployed
sub-network added to the environment, or a web server added systems and infrastructure underlying GCP instances on GCP in compliance with the
to the environment). in compliance with the requirements of requirements of section 11.
section 11.


11.3.2 Perform internal penetration testing at least annually and after Google is responsible for vulnerability GCP customers are responsible for
any significant infrastructure or application upgrade or scans, penetration tests and testing for performing vulnerability scans and
modification (such as an operating system upgrade, a unauthorized wireless access points on the penetration tests on customer deployed
sub-network added to the environment, or a web server added systems and infrastructure underlying GCP instances on GCP in compliance with the
to the environment). in compliance with the requirements of requirements of section 11.
section 11.

11.3.3 Exploitable vulnerabilities found during penetration testing are Google is responsible for vulnerability GCP customers are responsible for
corrected and testing is repeated to verify the corrections. scans, penetration tests and testing for performing vulnerability scans and
unauthorized wireless access points on the penetration tests on customer deployed
systems and infrastructure underlying GCP instances on GCP in compliance with the
section 11.

11.3.4 If segmentation is used to isolate the CDE from other Google is responsible for vulnerability GCP customers are responsible for
networks, perform penetration tests at least annually and after scans, penetration tests and testing for performing vulnerability scans and
any changes to segmentation controls/methods to verify that unauthorized wireless access points on the penetration tests on customer deployed
the segmentation methods are operational and effective, and systems and infrastructure underlying GCP instances on GCP in compliance with the
isolate all out-of- scope systems from in-scope systems. in compliance with the requirements of requirements of section 11.
section 11.

11.4 Use intrusion-detection and/or intrusion-prevention Google is responsible for intrusion GCP customers are responsible for
techniques to detect and/or prevent intrusions into the detection of Google Cloud systems and intrusion-detection and/or
network. Monitor all traffic at the perimeter of the cardholder infrastructure underlying GCP in intrusion-prevention techniques to detect
data environment as well as at critical points in the compliance with the requirements of and/or prevent intrusions into their
cardholder data environment, and alert personnel to section 11. environment.
suspected compromises. Keep all intrusion-detection and
prevention engines, baselines, and signatures up to date.


11.5 Deploy a change-detection mechanism (for example, file- Google is responsible for change-detection GCP customers are responsible for
integrity monitoring tools) to alert personnel to unauthorized mechanisms on the systems and change-detection mechanisms for their
modification of critical system files, configuration files, or infrastructure underlying GCP in environment.
content files; and configure the software to perform critical compliance with the requirements of
file comparisons at least weekly. Note: For change- detection section 11.
purposes, critical files are usually those that do not regularly
change, but the modification of which could indicate a
system compromise or risk of compromise. Change-
detection mechanisms such as file- integrity monitoring
products usually come pre-configured with critical files for
the related operating system. Other critical files, such as
those for custom applications, must be evaluated and
defined by the entity (that is, the merchant or service
provider).

11.5.1 Implement a process to respond to any alerts generated by Google is responsible for change-detection GCP customers are responsible for
the change-detection solution. mechanisms on the systems and change-detection mechanisms for their
infrastructure underlying GCP in environment.
compliance with the requirements of
section 11.

11.6 Ensure that security policies and operational procedures for Google is responsible for security policies GCP customers are responsible for security
security monitoring and testing are documented, in use, and and operational procedures for GCP in policies and operational procedures for
known to all affected parties. compliance with the requirements of their environment in compliance with the
section 11. requirements of section 11.


Cloud Security 11.2.2 Perform quarterly external vulnerability scans, via an Approved Customers should only use Test environment
Scanner Scanning Vendor (ASV) approved by the Payment Card Industry credentials to run scans.
Security Standards Council (PCI SSC). Perform rescans as needed,
until passing scans are achieved.


Requirement 12: Maintain Policy that Addresses Information Security for all Personnel

12.1 Establish, publish, maintain, and disseminate a security Google is responsible for establishing, GCP customers are responsible for
policy. maintaining and disseminating security establishing, maintaining and
policies, usage policies and performing risk disseminating security policies, usage
assessments for all systems and policies and performing risk assessments
infrastructure underlying GCP in for all systems and instances deployed by
compliance with the requirements in customers on GCP.
section 12.

12.1.1 Review the security policy at least annually and update the Google is responsible for establishing, GCP customers are responsible for
policy when the environment changes. maintaining and disseminating security establishing, maintaining and
section 12.

12.2 Implement a risk-assessment process that: Google is responsible for establishing, GCP customers are responsible for
● Is performed at least annually and upon significant maintaining and disseminating security establishing, maintaining and
changes to the environment (for example, policies, usage policies and performing risk disseminating security policies, usage
acquisition, merger, relocation, etc.) assessments for all systems and policies and performing risk assessments
● Identifies critical assets, threats, and vulnerabilities, infrastructure underlying GCP in for all systems and instances deployed by
and compliance with the requirements in customers on GCP.
● Results in a formal risk assessment. section 12.

12.3 Develop usage policies for critical technologies and define Google is responsible for establishing, GCP customers are responsible for


proper use of these technologies. Ensure these usage maintaining and disseminating security establishing, maintaining and
policies require the following: policies, usage policies and performing risk disseminating security policies, usage
section 12.

12.3.1 Explicit approval by authorized parties. Google is responsible for establishing, GCP customers are responsible for
maintaining and disseminating security establishing, maintaining and
section 12.

12.3.2 Authentication for use of the technology. Google is responsible for establishing, GCP customers are responsible for
section 12.

12.3.3 Authentication for use of the technology. Google is responsible for establishing, GCP customers are responsible for
section 12.


12.3.4 A method to accurately and readily determine owner, contact Google is responsible for establishing, GCP customers are responsible for
information, and purpose (for example, labeling, coding, maintaining and disseminating security establishing, maintaining and
and/or inventorying of devices). policies, usage policies and performing risk disseminating security policies, usage
section 12.

12.3.5 Acceptable uses of the technology. Google is responsible for establishing, GCP customers are responsible for
section 12.

12.3.6 Acceptable network locations for the technologies. Google is responsible for establishing, GCP customers are responsible for
section 12.

12.3.7 List of company-approved products. Google is responsible for establishing, GCP customers are responsible for



section 12.

12.3.8 Automatic disconnect of sessions for remote-access Google is responsible for establishing, GCP customers are responsible for
technologies after a specific period of inactivity. maintaining and disseminating security establishing, maintaining and
section 12.

12.3.9 Activation of remote-access technologies for vendors and Google is responsible for establishing, GCP customers are responsible for
business partners only when needed by vendors and business maintaining and disseminating security establishing, maintaining and
partners, with immediate deactivation after use. policies, usage policies and performing risk disseminating security policies, usage
section 12.

12.3.10 For personnel accessing cardholder data via remote-access Google is responsible for establishing, GCP customers are responsible for
technologies, prohibit the copying, moving, and storage of maintaining and disseminating security establishing, maintaining and
cardholder data onto local hard drives and removable policies, usage policies and performing risk disseminating security policies, usage
electronic media, unless explicitly authorized for a defined assessments for all systems and policies and performing risk assessments
business need. infrastructure underlying GCP in for all systems and instances deployed by
Where there is an authorized business need, the usage compliance with the requirements in customers on GCP.
policies must require the data be protected in accordance section 12.
with all applicable PCI DSS Requirements.

12.4 Ensure that the security policy and procedures clearly define Google is responsible for establishing, GCP customers are responsible for


information security responsibilities for all personnel. maintaining and disseminating security establishing, maintaining and
section 12.

12.5 Assign to an individual or team the following information Google has PCI DSS compliance For computer resources that are provided
security management responsibilities: responsibility for dedicated internal Google by Google to customers as part of a
Production and management network customer's GCP project. the PCI
systems. compliance of those resources is the

12.5.1 Establish, document, and distribute security policies and Google maintains a highly trained and GCP customers are responsible for
procedures. professional security team and has maintaining an information security team
implementation a security awareness and implementing security awareness
program for all applicable personnel in programs in compliance with section 12 for
compliance with section 12 requirements all customer deployed instances on GCP
to manage security for all systems and
infrastructure underlying GCP.

12.5.2 Monitor and analyze security alerts and information, and Google maintains a highly trained and GCP customers are responsible for
distribute to appropriate personnel. professional security team and has maintaining an information security team


12.5.3 Establish, document, and distribute security incident response Google maintains a highly trained and GCP customers are responsible for
and escalation procedures to ensure timely and effective professional security team and has maintaining an information security team
handling of all situations. implementation a security awareness and implementing security awareness

12.5.4 Administer user accounts, including additions, deletions, and Google maintains a highly trained and GCP customers are responsible for
modifications. professional security team and has maintaining an information security team

12.5.5 Monitor and control all access to data. Google is responsible for monitoring Customers of GCP are responsible for
access to data by Google staff. monitoring and controlling their users and
or staff. Users including vendors and
consumers as applicable got he GCP
customer.

12.6 Implement a formal security awareness program to make all Google maintains a highly trained and GCP customers are responsible for
personnel aware of the importance of cardholder data professional security team and has maintaining an information security team
security. implementation a security awareness and implementing security awareness


12.6.1 Educate personnel upon hire and at least annually. Google maintains a highly trained and GCP customers are responsible for
professional security team and has maintaining an information security team

12.6.2 Require personnel to acknowledge at least annually that they Google maintains a highly trained and GCP customers are responsible for
have read and understood the security policy and procedures. professional security team and has maintaining an information security team

12.7 Screen potential personnel prior to hire to minimize the risk Google has implemented appropriate GCP customers are responsible for
of attacks from internal sources. (Examples of background screening for its personnel which complies implementing screening on their applicable
checks include previous employment history, criminal record, with section 12 requirements. personnel in relation to their PCI DSS
credit history, and reference checks.) scope.

12.8 Maintain and implement policies and procedures to manage

service providers with whom cardholder data is shared, or
that could affect the security of cardholder data, as follows:

12.8.1 Maintain a list of service providers. Google does not share customer data with GCP customers are responsible for
third party providers. Google is responsible complying with this requirement as


for establishing, maintaining and applicable to them when cardholder data is
disseminating security policies, usage shared with third parties.
policies and performing risk assessments
for all systems and infrastructure
underlying GCP in compliance with the
requirements in section 12.

12.8.2 Maintain a written agreement that includes an Google does not share customer data with GCP customers are responsible for
acknowledgement that the service providers are responsible third party providers. Google is responsible complying with this requirement as
for the security of cardholder data the service providers for establishing, maintaining and applicable to them when cardholder data is
possess or otherwise store, process or transmit on behalf of disseminating security policies, usage shared with third parties.
the customer, or to the extent that they could impact the policies and performing risk assessments
security of the customer’s cardholder data environment. for all systems and infrastructure

12.8.3 Ensure there is an established process for engaging service Google does not share customer data with GCP customers are responsible for
providers including proper due diligence prior to engagement. third party providers. Google is responsible complying with this requirement as

12.8.4 Maintain a program to monitor service providers’ PCI DSS Google does not share customer data with GCP customers are responsible for
compliance status at least annually. third party providers. Google is responsible complying with this requirement as




12.8.5 Maintain information about which PCI DSS requirements are Google does not share customer data with GCP customers are responsible for
managed by each service provider, and which are managed by third party providers. Google is responsible complying with this requirement as
the entity. for establishing, maintaining and applicable to them when cardholder data is

12.9 Additional requirement for service providers only: Service See Google’s Data Processing and Security N/A
providers acknowledge in writing to customers that they are terms for GCP.
responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or
transmits on behalf of the customer, or to the extent that
they could impact the security of the customer’s cardholder
data environment.

12.10 Implement an incident response plan. Be prepared to Google has implemented a detailed Customers are responsible for
respond immediately to a system breach. incident response plan for all systems and implementing an incident response plan in
infrastructure underlying GCP in compliance with section 12 requirements
compliance with section 12 requirements. for all customer deployed instances and
data on GCP.

12.10.1 Create the incident response plan to be implemented in the Google has implemented a detailed Customers are responsible for
event of system breach. Ensure the plan addresses the incident response plan for all systems and implementing an incident response plan in
following, at a minimum: infrastructure underlying GCP in compliance with section 12 requirements


● Roles, responsibilities, and communication and compliance with section 12 requirements. for all customer deployed instances and
contact strategies in the event of a compromise data on GCP.
including notification of the payment brands, at a
minimum
● Specific incident response procedures
● Business recovery and continuity procedures
● Data backup processes
● Analysis of legal requirements for reporting
compromises
● Coverage and responses of all critical system
components
● Reference or inclusion of incident response
procedures from the payment brands

12.10.2 Test the plan at least annually. Google has implemented a detailed Customers are responsible for
incident response plan for all systems and implementing an incident response plan in
data on GCP.

12.10.3 Designate specific personnel to be available on a 24/7 basis Google has implemented a detailed Customers are responsible for
to respond to alerts. incident response plan for all systems and implementing an incident response plan in
data on GCP.

12.10.4 Provide appropriate training to staff with security breach Google has implemented a detailed Customers are responsible for
response responsibilities. incident response plan for all systems and implementing an incident response plan in
data on GCP.


12.10.5 Include alerts from security monitoring systems, including but Google has implemented a detailed Customers are responsible for
not limited to intrusion-detection, intrusion-prevention, incident response plan for all systems and implementing an incident response plan in
firewalls, and file-integrity monitoring systems. infrastructure underlying GCP in compliance with section 12 requirements
data on GCP.

12.10.6 Develop a process to modify and evolve the incident response Google has implemented a detailed Customers are responsible for
plan according to lessons learned and to incorporate industry incident response plan for all systems and implementing an incident response plan in
developments. infrastructure underlying GCP in compliance with section 12 requirements
data on GCP.


Appendix
Additional Requirements for Entities using SSL/early TLS

Requirement PCI-DSS Requirement Additional Customer Responsibility
A2.1 Where POS POI terminals (and the SSL/TLS termination points to N/A no POS/POI devices in scope.
which they connect) use SSL and/or early TLS, the entity must
either:
Confirm the devices are not susceptible to any known exploits for
those protocols.
Or:
Have a formal Risk Mitigation and Migration Plan in place.

A2.2 Entities with existing implementations (other than as allowed in GCP customers are responsible for complying
A.2.1) that use SSL and/or early TLS must have a formal Risk with this requirement for any virtual machines,
Mitigation and Migration Plan in place. applications, services or databases deployed by
them on GCP.

A2.3 Additional Requirement for Service Providers Only: Google has implemented controls for secure
All service providers must provide a secure service offering by June administrative access for the Google production
30, 2016. infrastructure underlying GCP
GCP Customers are responsible for configuring

their apps hosted on Google Cloud Platform such
that it doesn't accept TLS1.0 requests from their
app users.
Example: Connections between Customer
Instances and End-User


GCP Customers wishing to disable 3DES or TLS

1.0 for web-based access to the covered services
will need to file a support case referencing issue
#73300651 and requesting 3DES or TLS 1.0 be
disabled for their managed accounts. Google will
then apply a policy to user accounts managed
under the applicable GCP domain preventing sign
in when the user is on a connection using 3DES
or TLS 1.0.
Example: Connections between Customer
administrators and Google's Cloud Console

GCP customers are responsible for configuring

their clients to disallow connections via TLS 1.0
Example: Connections between Customer and
their third-parties.

Google App A2.3 Additional Requirement for Service Providers Only: GCP App Engine Customers can file a support
Engine All service providers must provide a secure service offering by June ticket to disable TLS 1.0 for their custom domain.
30, 2016. It is a customer responsibility to re-route HTTPS
requests from their *.appspot.com address to

their custom domain.



GCP Pci SRM Apr 2019

Uploaded by

Copyright:

Available Formats

GCP Pci SRM Apr 2019

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GCP Pci SRM Apr 2019

Uploaded by

Copyright:

Available Formats

Google Cloud Platform: Shared Responsibility Matrix

PCI DSS Responsibility Matrix 5

Google The service provider

Service Provider The Service Provider, as defined by the requirement, is Google

POS Point of Sale

PCI DSS Payment Card Industry Data Security Standard

PCI DSS Responsibility Matrix

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Requirement Description GCP Customer

instances deployed on GCP comply with

1.2 Build firewall and router configurations that restrict

documentation​ for the capabilities provided

the requirements of Section 1 of the PCI

Requirement Description GCP Customer

Requirement 3: Protect Stored Cardholder Data

Requirement Description GCP Customer

shares, in accordance with an industry-accepted

choose to use this service to implement

choose to use this service to implement

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

services to store sensitive authentication data if: There is a

Product Specific Considerations for Google

Product Requirement PCI-DSS Requirement Additional Google Responsibility

● A quarterly process for identifying and securely deleting

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Requirement Description GCP Customer

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

Requirement Description GCP Customer

Google i​ s not responsible​ for the

implementation of malware protection

Requirement 6: Develop and Maintain Secure Systems and Applications

Requirement Description GCP Customer

6.4 Follow change control processes and procedures for all

6.4.5 Change control procedures for the implementation of security

systems and infrastructure underlying GCP protecting customer deployed instances

requirements in section 6. compliance with section 6 requirements.

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

Requirement 7: Restrict Access to Cardholders Data by Business Need to Know

Requirement Description GCP Customer

requirements of sections 7 and 8 for the instances and applications in compliance

systems and infrastructure underlying compliance with the requirements of

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

Requirement 8: Identify and Authenticate Access to System Components

Requirement Description GCP Customer

requirements of sections 7 and 8 for the instances and applications in compliance

● Shared and generic user IDs are not used to

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

individual account and not shared among multiple

Requirement 9: Restrict Physical Access to Cardholder Data

Requirement Description GCP Customer

personnel and visitors, to include: controls on all Google Data centers

that are performed and maintained by

Product Specific Customer Considerations

Product Requirement PCI-DSS Requirement Additional Customer Responsibility

documentation for the capabilities provided

Google i s not responsible for the