Is Google Cloud Storage PCI compliant?

Question

Here is the Google Cloud Platform: Customer Responsibility Matrix. This document basically goes through all of the PCI DSS requirements and explains what is done by GCP and what is supposed to be done by the customers.

This document states that Google Cloud Storage is in scope for PCI DSS.

This GCP link states that "Requirement 3.4 stipulates that a PAN must be unreadable anywhere it is stored. While Google automatically offers encryption at rest, it doesn't automatically perform the one-way hashes, truncation, or tokenization that the rules also require.”

However, I am not able to find proof that explicitly says that Google Cloud storage is PCI compliant as it is a service from a cloud provider.

Is there an official document which claims Google Cloud Storage to be PCI compliant as a service?

A document that talks about how GCP achieved PCI DSS compliance for google cloud storage rather than how to fulfill the requirements for the customer's set-up?

Answer 1

It seems you are asking two questions here:

(1) Is Google Cloud Platform (GCP) Payment Card Industry Data Security Standard (PCI DSS) Certified?

(2) Is Google Cloud Storage (GCS) PCI DSS Compliant?

Here are the answers available in our public documentation:

1) GCP is PCI DSS Certified as this announcement and our official doc clearly state:

"Google Cloud undergoes an annual third-party audit to certify individual products against the PCI DSS. This means that these services provide an infrastructure that customers may build their own services or applications which store, process, or transmit cardholder data."

As you know, PCI DSS is a standard written by credit card companies for handling the security of credit card information from consumers. As our documentation reveals, it is a shared responsibility between the Cloud Provider (GCP), who needs to be certified as a platform, and the consumer/customer (you), whose responsibility it is to implement/build compliant services on GCP.

2) Cloud Storage is PCI DSS Compliant as you can see in this official statement

"The following Google Cloud services have been reviewed by an independent Qualified Security Assessor and determined to be PCI DSS 3.2 compliant. This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data. We have created this matrix to help explain the shared responsibility between Google and its customers."

Per "Is there an official document which claims Google Cloud Storage to be PCI compliant as a service?" refer to this documentation and this reference that reveals GCS is a service that meets PCI DSS compliance. But of course when you architect a solution that uses GCS you need to do so in a PCI DSS compliant way.

Note that the same statement of shared responsibility is also echoed in the Google Cloud Platform: Customer Responsibility Matrix that you referenced. We recommend that Customers reference the responsibility matrix as they pursue PCI compliance and find it a useful tool when conducting their own PCI audits.

Per "A document that talks about how GCP achieved PCI DSS compliance for google cloud storage rather than how to fulfill the requirements for the customer's set-up?" refer again to this doc that states, "Google Cloud undergoes an annual third-party audit to certify individual products against the PCI DSS."

We also published an advice on building PCI compliant services on GCP which you referenced. Here is an example of how to go about building PCI DSS compliant services on GCP. And here's an example of how a customer's GCS based service meets PCI DSS compliance using our tools.

Hope this helps to clarify what is stated about PCI DSS compliance in our public docs.