Mosso, a PaaS cloud provider, claims to be the first in enabling a customer to be PCI compliant within the cloud. Naturally, this really excited me as I have spent a lot of time lately trying to figure out how to acomplish PCI compliance in the cloud. I was somewhat disapointed, however, once I read the details.
In this case, the application within the cloud does not actually store any credit card data. The customer leverages a third party payment gateway to handle collection and storage of all cardholder data.
Additionally, the customer did not gain PCI certification through an evaulation by a Qualified Security Assessor (QSA), but instead only needed to complete a "Self Assessment Questionaire" and pass a scan from an approved scanning vendor (ASV).
Since the application used a third party payment gateway to handle collection and storage of cardholder data, only a subset of the PCI DSS controls applied to this application. According to Mosso's article, only requirement 9 (Restrict physical access to cardholder data) and 12 (Maintain a policy that addresses information security) applied.
It's wonderful that some level of PCI compliance has been achieved for applications within the cloud, but I feel like this isn't much different than Amazon EC2 + Amazon Flexible Payments Service, or even simpler any cloud provider + Paypal. Hopefully in the future, we will have a case study in which an application that handles cardholder data will become PCI certified within a cloud computing provider's infrastructure.