What is PCI DSS?

Payment Card Industry (PCI) Data Security Standard (DSS) is a credit card industry security standard which defines a required level of security for people, processes and technology that must exist when storing, processing or transmitting credit card data. PCI DSS applies to merchants, processors, and service providers, as well as all other entities that store, process, or transmit credit card data. PCI DSS Attestation of Compliance (AOC) is ultimately an attestation by an entity that a specified level of security is required and exists.

Roles and Responsibilities

Any organization storing, processing or transmitting credit card data is required to be assessed against the PCI DSS. Within the PCI DSS there is a responsibility for entities engaging service providers to verify the service providers are compliant and have roles and responsibilities of storing, processing and transmitting credit card data clearly defined. When customers use one of Citrix’s services as part of their credit card data processes, Citrix is acting as a service provider and has defined the roles and responsibilities between themselves and the entity using the product or service.

Citrix and PCI DSS Compliance

Citrix supports customer PCI DSS compliance

Citrix offers several products and services assessed against the PCI DSS for customers storing, processing, or transmitting protected cardholder data in the cloud. Citrix undergoes a PCI DSS assessment by a Qualified Security Assessor (QSA) annually to evaluate our services and controls.

While Citrix helps support the customer’s PCI DSS compliance, using Citrix products and services does not achieve PCI DSS compliance on its own. Customers are responsible for ensuring they have an adequate compliance program, internal processes, and controls in place to achieve and maintain their PCI DSS compliance requirements.

Citrix certifications and documentation

To get started please review all the documentation below. Citrix Cloud-based Services rely on the customer to fulfill the intent of some of the PCI DSS requirements with their configurations, and the customer is solely responsible for configuring the product and their overall environment and processes to ensure PCI DSS compliance.

Citrix PCI DSS Attestation of Compliance

Citrix performs an annual assessment of products, services, and processes for alignment with PCI DSS requirements. Citrix’s compliance with PCI DSS has been verified by an independent, third-party security consulting firm, Risk3Sixty, who has provided the Attestation of Compliance documents for the Citrix products or services listed below.

Citrix Cloud-Based Services Roles and Responsibilities

This responsibility matrix has been created to clarify the PCI compliance responsibilities for Citrix and the customers of Citrix Cloud-based Services to support Citrix customers implementing security controls for their use of Citrix Cloud-based Services. Compliance to PCI DSS is dependent on which Citrix Cloud-based Services are being utilized and how they are being implemented by the customer.

Roles and Responsibilities (This is inclusive of Citrix Cloud Platform, Citrix Desktop as a Service, Citrix Analytics Service, Citrix Workspace Platform and Citrix Application Delivery Management)