“Does your datacentre have PCI DSS certification?”
Fair question. Usually the wrong one — because it assumes certification flows downhill. Certify the datacentre, and everything inside it comes covered.
It doesn’t work like that.
PCI DSS attaches to an environment, not an address. The provider’s certification covers the provider’s half — the physical estate, the infrastructure they run. You inherit exactly that and not a millimetre more. Their attestation says nothing about your configuration, your access, your segmentation. The moment your cardholder data lands on their platform, that environment is yours to answer for.
Here’s the line people miss: you don’t inherit compliance. You inherit a head start. The provider’s controls count toward your assessment — that’s what their Attestation of Compliance and the shared-responsibility matrix are for. Everything on your side of that matrix, you still have to prove. None of it is automatic.
And the bar isn’t one-size. Validation scales with transaction volume — same standard for everyone, but a business doing a few thousand card transactions a year self-assesses, while one doing millions gets the full audit. Same rules. Very different scrutiny.
“Is the datacentre certified” tells you almost nothing about whether you are. Better questions: what’s in scope, who owns which controls, what level am I held to.
Compliance isn’t a sticker the building hands you. It’s a line you draw around your own environment — and then defend.