There is a dilemma for all tenants of a public or private cloud: Scope. Tenants want everything to be in scope. Cloud Service Providers (CSP) want to limit scope to the bare minimum. What does it mean for a Cloud to be ‘PCI Compliant’, and why is this a requirement for some tenants? The real issue is, what is in scope for PCI-DSS while your data is in the cloud, and how can you as the tenant meet those requirements? Remember, in the cloud, scope becomes a huge issue and a dilemma for the tenant, mainly because they may not know the scope of the cloud provider’s audit and may never find it out. So what is this scope issue and can it be fixed?