A company is subject to PCI DSS and plans to use a cloud provider to process credit card transactions. The cloud provider has been assessed by a Qualified Security Assessor (QSA). According to PCI DSS, what must the company obtain from the provider to demonstrate compliance?
Correct. The AOC and Responsibility Matrix show the provider's compliance scope and responsibilities.
Why this answer
PCI DSS requires that the service provider's responsibilities are mapped in a Cloud Provider Responsibility Matrix, typically in Appendix A3. Additionally, the customer must obtain evidence of the provider's QSA assessment.