Skip Navigation
PCI DSS Responsibility Matrix
Answer ID 8758   |   Last Review Date 06/08/2022

Who is responsibility for each of the Payment Card Industry Data Security Standards (PCI DSS) controls?


PCI pods (Includes US Federal Government pods)


Oracle and its Service Cloud Customers have shared responsibility in ensuring their Service Cloud implementation meets the Payment Card Industry Data Security Standards (PCI DSS) V3.2.1 controls.  While the PCI DSS covers all forms of credit card processing, not all parts may apply to your business model and usage of Service Cloud. 

While Oracle’s Service Cloud Service is assessed annually for complying with the PCI DSS controls, the assessment covers the environment as your Cloud Service Provider and the software as delivered “out of the box”.  Customers have opportunities to extend and customize the solution to their business needs, but those customizations are not covered by the annual Oracle PCI assessment.  To help clarify the roles and responsibilities for performing tasks related to PCI DSS controls, we are providing the attached Ownership Matrix (see below).

For more information, see the following resources:

PCI (PC Pod) Frequently Asked Questions

Guidance for Implementing in PCI or HIPAA Service Cloud Environment.