Question: We are considering moving a server containing cardholder data to a hosted private cloud provider. Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance?
What if they produce a report from an independent security company that is not on the list of approved QSA’s published by the PCI Security Standards Council, yet that report states that they are PCI DSS compliant?
Answer: If you use a hosting provider and you plan to host cardholder data there, you will either need proof that the hosting provider is PCI DSS compliant and that the facility’s compliance assessment included their hosted environment as a part of that assessment, or you will have to include the hosting provider’s facility within the scope of your own PCI DSS compliance assessment.
As for the second question, the PCI assessment must be completed by an approved Qualified Security Assessor (QSA).