Verizon has publicly shared some perspective on how they approach PCI DSS compliance as a cloud service provider:

But what does PCI DSS compliance by a cloud services provider actually mean and what value does this provide to an enterprise?

Cloud services providers, such as Verizon, which have obtained PCI DSS Level 1 compliance, must undergo extensive preparation, testing and assessment of their cloud environment to verify that it is built and operated in a manner that meets the security standards that enterprises require. Cloud services providers must undergo a third-party audit and, due to the nature of a cloud services provider’s environment, there is also the responsibility for day-to-day governance required to maintain its security posture and provide the necessary transparency to customers. In addition, achievement of PCI DSS compliance by a cloud services provider for its cloud infrastructure offers customers verification that the following will occur:

• Annual penetration tests
• Quarterly vulnerability scanning using an Approved Scanning Vendor
• Architecture reviews validating environment isolation on a per customer basis
• Virtual environment configuration reviews of hypervisor and virtual switches
• Log collection and auditability
• Authentication
• Process and procedure definition and documentation