We’re in the process of making sense of the new guidance from the PCI Virtualization Special Interest Group (SIG). According to the guidance, cloud providers are obligated to “provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.” Our question is, what constitutes sufficient evidence, and is it sufficient according to us, the customer, or sufficient according to their interpretation of PCI DSS? Basically, we’d like to know how to approach the conversation about this guidance with our cloud provider.