Exam CAS-004 topic 1 question 506 discussion

In a Payment Card Industry (PCI) context, even if a company is using a Cloud Service Provider (CSP) to host or manage part of its system, the company remains responsible for ensuring that its in-scope systems (systems that store, process, or transmit payment card data) are PCI compliant. The certification of the offering as PCI compliant typically refers to the specific parts of the environment where payment card data is processed or stored, but it does not automatically extend to all other parts of the company’s environment. Thus, the company must ensure that all systems involved in the payment processing solution that are considered in-scope for PCI DSS requirements are compliant. The CSP may be responsible for ensuring that their infrastructure and services (such as cloud-based storage or serverless services) meet PCI compliance standards, but the customer still needs to confirm that their systems that interact with this service are also compliant.

When using a cloud service provider (CSP) for a payment system, compliance with PCI DSS (Payment Card Industry Data Security Standard) is a shared responsibility between the customer and the CSP. While the CSP might be PCI-compliant for its infrastructure or services, the customer is still responsible for ensuring that in-scope systems (those processing, transmitting, or storing cardholder data) in their environment are also PCI compliant.

Ans D. In the context of using a Cloud Service Provider (CSP) for a PCI-compliant payment system, the correct option is D. must ensure in-scope systems for the new offering are also PCI compliant. While the CSP may be PCI compliant, the customer is responsible for ensuring that their own systems and processes that interact with the payment system also meet PCI compliance requirements.