1.Introduction of PCI DSS

The PCI Security Standards Council is a global forum with the aim of establishing security standards for account data protection. The Council is founded by five major payment brands (American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.).


The PCI Data Security Standards define operational and technical requirements for entities that store, process or transmit payment card information, including merchants, processors, acquires, issuers and service providers. The PCI DSS is administered and managed by the Council, however, the enforcement of compliance with the PCI DSS is carried out by the payment brands.

2.Applicability of PCI DSS

The PCI Data Security Standards is applicable to all entities that store, process or transmit payment card information. Merchants can be categorized into 4 levels, from level 1 to level 4, based on the volume of transactions per annum with the payment card brand. The merchant level identification principle is determined by the payment card brand. Therefore, the merchants need to figure out the merchant level by confirming with the acquiring bank. The Council has established Self-Assessment Questionnaire mechanisms for small-to-medium size merchants to validate PCI DSS compliance.


The merchants need to further determine which type of questionnaire is applicable and complete the questionnaire in accordance with the instructions and guidelines. For certain type of business, for instance, SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider, a quarterly vulnerability scanning is required to be conducted by PCI SSC Approved Scanning Vendor (ASV). Finally, the merchants have to complete the Attestation of Compliance and submit every requested documentation to the acquiring banks for validation.

3. Alibaba Cloud Complies with PCI DSS

PCI DSS comprises with 12 requirements covering 6 categories, including build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and maintain an information security policy, for the applicable entities to assess whether they have maintained a secure environment for the protection of their affiliated payment card account data.


Alibaba Cloud engaged with PCI SSC Approved Qualified Security Assessor (QSA) to conduct annual onsite assessment, i.e., PCI DSS v3.2.1 level 1 certified. The scope of the PCI DSS assessment includes cloud products, security services and CDN services that are available in 12 global regions (including Hong Kong). The Attestation of Compliance (AOC) report is available for downloading. For detailed scope information, please refer to the AOC report.

4.How to comply with PCI DSS on Alibaba Cloud

- Understand the responsibilities of fulfilling PCI DSS requirements

Alibaba Cloud’s compliance with PCI DSS does not mean that our customer also meets the requirements in PCI DSS. The assessment environment for Alibaba Cloud is the underlying physical and virtualised infrastructure that supports the Alibaba Cloud services, which include physical servers, host operating systems, networking, virtulisation and control environment over management and operations of the Alibaba Cloud platform and services. By complying with PCI DSS, Alibaba Cloud is able to provide a highly secure cloud service platform with products and security services to help the customer meet the security requirement under PCI DSS.

Following the shared security responsibility model, Alibaba Cloud and its customers are jointly responsible for the security of customers' applications built on Alibaba Cloud. Within 12 PCI DSS requirements, the physical security related requirements are only applicable to Alibaba Cloud, the cardholder data environment and information security policy related requirements are major applicable to the customers only, and the remaining requirements are the joint efforts between Alibaba Cloud and our customers.

- Alibaba Cloud’s offerings

We provide Alibaba Cloud International Services PCI DSS Responsibility Management Matrix for the customer to understand how to rely on Alibaba Cloud’s PCI AOC Report and what they should be responsible of per each of the requirements so as to comply with PCI DSS. For detailed information, please feel free to download the document.

In general, Customers are responsible for configuring and using various cloud-based products in a secure manner, and building their own cloud-based applications and services in a secure and controllable manner based on the security capabilities of these cloud products to ensure the security of data on the cloud. Alibaba Cloud provides Smart and Sound with Alibaba Cloud - Security Service Overview which explores key scenarios of security across six domains.

- Other support from Alibaba Cloud Ecosystem

In Alibaba Cloud’s marketplace, the customer can enjoy a PCI DSS Wizard service provided by LGMS (An international PCI Qualified Security Assessor Company) for free to determine business type and PCI DSS Compliance Level, followed by LGMS PCI DSS Compliance SAQ Wizard, ASV Scanning and Compliance Attestation services which are available in the marketplace to suit your needs.

If you wish to share your best practices or difficulties you have encountered during your PCI DSS compliance journey with others, please feel free to publish them on Alibaba Cloud Forum – Solutions.