There is a dilemma for all tenants of a public or private cloud: Scope. For the tenant, they want everything to be in scope. For the Cloud Service Provider (CSP) they want to limit scope to the bare minimum. What does it mean for a Cloud to be ‘PCI Compliant’ and why is this a requirement for some tenants. The real issue, is what is in scope for PCI-DSS while your data is in the cloud and how can you as the tenant meet those requirements.