OPS ONLINETHREAT LEVEL: ELEVATEDSECTOR 04 · ACTIVE WATCHUPLINK NOMINAL · 99.997%MISSION CLOCKT+ 00:00:00DOCTRINE FM-26.A
Passed PCI DSS Audits

PCI DSS Cloud Infrastructure Support

Network segmentation, cardholder data environment scoping, and technical control implementation for cloud environments — from a team with a track record of taking infrastructure through to a passed PCI DSS audit.

Where cloud makes PCI DSS harder

Shared-responsibility models and dynamic cloud networking make cardholder data environment scoping genuinely difficult — segmentation that looks correct in a network diagram doesn't always hold up in a cloud-native deployment. This is the specific gap this engagement addresses.

What's covered

Formal validation

Assessment and validation for organizations subject to that requirement sits with a Qualified Security Assessor, not ACS. This engagement is the infrastructure work that supports that validation, coordinated directly with your QSA where one is engaged.

PCI DSS INFRASTRUCTURE — FAQ

Does ACS perform PCI DSS assessments as a QSA?

No — formal PCI DSS assessment and validation for organizations subject to that requirement requires a Qualified Security Assessor (QSA). ACS provides the infrastructure-level segmentation and control implementation work that determines how that assessment goes, with a track record of taking that work through to a passed audit.

Has ACS actually passed a PCI DSS audit?

Yes — ACS has prepared infrastructure for and passed a PCI DSS audit as part of prior engagement work.

What does cloud infrastructure add to PCI DSS scoping?

Shared-responsibility boundaries and dynamic cloud network segmentation make PCI scoping harder than in a traditional on-prem environment — this is specifically where infrastructure-level technical work matters most.

What is assessed or implemented?

Network segmentation isolating the cardholder data environment, access control around in-scope systems, logging sufficient for PCI evidence requirements, and encryption configuration for cardholder data at rest and in transit.

Can you work with our QSA?

Yes — we coordinate on technical scope and control implementation; the formal validation relationship remains between you and your QSA.

Does this reduce PCI scope, or just secure what's in scope?

Both — proper segmentation is often the single highest-leverage way to reduce what's actually in scope for assessment, which we evaluate as part of this engagement rather than assuming your current scope is already minimal.

Discuss PCI DSS Infrastructure Support

Tell us your current cardholder data environment scope. We'll assess where segmentation and controls need work.