A1.1.1 Logical separation is implemented as follows:

Defined Approach Requirements

A1.1.1 Logical separation is implemented as follows:

• The provider cannot access its customers' environments without authorization.
• Customers cannot access the provider's environment without authorization.

Customized Approach Objective

Customers cannot access the provider's environment. The provider cannot access its customers' environments without authorization.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

A1.1.1 Examine documentation and system and network configurations and interview personnel to verify that logical separation is implemented in accordance with all elements specified in this requirement.

Purpose

Without controls between the provider's environment and the customer's environment, a malicious actor within the provider's environment could compromise the customer's environment, and similarly, a malicious actor in a customer environment could compromise the provider and potentially other of the provider's customers.

Multi-tenant environments should be isolated from each other and from the provider's infrastructure such that they can be separately managed entities with no connectivity between them.

Good Practice

Providers should ensure strong separation between the environments that are designed for customer access, for example, configuration and billing portals, and the provider's private environment that should only be accessed by authorized provider personnel.

Service provider access to customer environments is performed in accordance with requirement 8.2.3.

Further Information

Refer to the Information Supplement: PCI SSC Cloud Computing Guidelines for further guidance on cloud environments.