Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers

Overview

All service providers are responsible for meeting PCI DSS requirements for their own environments as applicable to the services offered to their customers. In addition, multi-tenant service providers must meet the requirements in this Appendix.

Multi-tenant service providers are a type of third-party service provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases. Services may include, but are not limited to, hosting multiple entities on a single shared server, providing e-commerce and/or "shopping cart" services, webbased hosting services, payment applications, various cloud applications and services, and payment gateway and processor services offered in a shared environment.

Service providers that provide only shared data center services (often called co-location or "co-lo" providers), where equipment, space, and bandwidth are available on a rental basis, are not considered multi-tenant service providers for purposes of this Appendix.

Note: Even though a multi-tenant service provider may meet these requirements, each customer is still responsible to comply with the PCI DSS requirements that are applicable to its environment and validate compliance as applicable. Often, there are PCI DSS requirements for which responsibility is shared between the provider and the customer (for perhaps different aspects of the environment). Requirements 12.8 and 12.9 delineate requirements specific to the relationships between all third-party service providers (TPSPs) and their customers, and the responsibilities of both. This includes defining the specific services the customer is receiving, along with which PCI DSS requirements are the responsibility of the customer to meet, which are the responsibility of the TPSP, and which requirements are shared between both customer and the TPSP.

Sections

A1. Multi-Tenant Service Provider Requirements

Ensure secure isolation of customer environments in shared hosting infrastructure while maintaining PCI DSS compliance across all tenants.

https://WithPCI.com

Sub-requirements

Test Points

Moderate (3.0)

Implementation Difficulty

Control Types

Documentation

Governance

Technical (4)

Process

Key Risks

Cross-tenant data compromise via shared resources

Inadequate hypervisor security controls

Co-mingling of audit logs

Third-party access management gaps

Frequently Asked Questions

What specific virtualization controls are required for shared hosting providers?

Must implement: 1) Hypervisor hardening to CIS Level 2 benchmarks, 2) VM escape protection via Intel VT-d/AMD-Vi, 3) Storage encryption per tenant using AES-XTS, 4) Network microsegmentation with NSX-T or AWS Security Groups. Quarterly pen tests must validate isolation controls.

How do we demonstrate compliance to customers without exposing other tenants' data?

Provide cryptographically signed: 1) Scope validation reports, 2) ASV scan summaries, 3) Pen test executive summaries. Use zero-knowledge proof techniques to validate controls without disclosing tenant details.

What's required for secure management of shared encryption resources?

1) HSM-backed key storage with FIPS 140-3 validation, 2) Tenant-specific key namespaces, 3) Automated key rotation every 90 days, 4) Blockchain-attested key lifecycle logs. AWS CloudHSM or Azure Dedicated HSM recommended.

How are compliance responsibilities split between provider and tenant?

Formal agreements must define: 1) Provider manages hypervisor/network security (Req 1-6), 2) Tenant handles app/data security (Req 7-12), 3) Joint responsibility for access controls. Document in PCI DSS Responsibility Matrix.

What monitoring is required for shared infrastructure?

1) Real-time VM resource isolation checks, 2) File integrity monitoring on hypervisor, 3) Network traffic analysis between tenants, 4) Automated alerts for configuration drift. Tools: Splunk ES, AWS GuardDuty.

Common QSA Questions

Show cryptographic proof of tenant data isolation in shared storage

We use AWS EBS encryption with KMS customer-managed keys. Evidence includes: 1) CloudTrail logs showing key access boundaries, 2) Pen test reports validating cross-tenant access attempts blocked, 3) KMS key policies using aws:PrincipalTag conditions.

Demonstrate hypervisor protection against Spectre/Meltdown vulnerabilities

1) Xen 4.15+ with retpoline mitigations, 2) Kernel page-table isolation enabled, 3) Weekly microcode updates via AWS Bare Metal instances. Last CVE-2025-1999 test showed 0 successful exploits.

Provide third-party audit access process documentation

Our audit portal offers: 1) Pre-approved evidence packages, 2) JIT access with 4hr expiration, 3) Activity monitoring via Okta. Process aligns with CSA STAR v4.0 requirements.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.