< Compliance
CenturyLink IaaS offers foundation for PCI-DSS 3.0 compliance

Hosted and Private Cloud Services for PCI DSS Compliance

PCI DSS is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit card data. PCI compliance warrants close scrutiny by any organization's IT Security team because fines for non-compliance can exceed tens or even hundreds of thousands of dollars.

CenturyLink offers a full menu of PCI-DSS-compliant technology solutions and is listed with VISA as a compliant service provider. Inclusion in this listing is possible because CenturyLink has obtained the following passing Reports on Compliance (ROC):

  • Managed Firewalls and NIDS Services (not location specific): Cisco ASA and Check Point firewalls, and Network Intrusion Detection Systems (NIDS)
  • iQ Private Port (not location specific): MPLS based on WAN platform for customer provisioning and management on the network
  • Network Integrated Cloud Contact Center Solutions: Hosted Interactive Voice Response and Network Common Area contact center solutions
  • Managed Enterprise Services (MES) include Managed Data, Managed Cloud, Managed Voice, and Managed Security
  • Managed Services Administration covers CenturyLink jump hosts and anti-virus (AV) infrastructure

CTL provides services to many level 1 and level 2 merchants, credit card processing companies and other parties who must demonstrate PCI compliance in environments that utilize CTL services. Our customers have used third-party Qualified Security Assessors (QSAs) to examine their PCI compliance, leveraging CTL services. These QSAs, in turn, have submitted ROCs that attest to our customers' adherence to the PCI DSS. Customers leveraging our existing certifications will benefit by reducing the duration and costs of their PCI audits. CTL benefits by reducing the amount of customer audits we have to participate in.

Frequently Asked Questions

What is PCI DSS?

The Payment Card Industry Data Security Standard also known as PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations protect systems used to store, process or transmit cardholder data.

What is a ROC?

ROC stands for Report on Compliance. It is a report containing the details of an entity’s PCI assessment.

What is an AOC?

AOC stands for Attestation of Compliance. It is the official PCI compliance certification document.

Who is affected by PCI DSS?

Any organization that stores, processes or transmits cardholder data, or can impact the security of those environments are subject to PCI DSS requirements. This applies to organizations that store cardholder data in paper or electronic form.

What is the role of IT in PCI DSS compliance?

Information technology is at the core of compliance with this data security standard. IT professionals deploy, monitor, test and maintain the network components, which support transactions involving cardholder data. Those components can be almost anything attached to the network, including servers, switches, routers, firewalls and other applications.

The PCI Security Standards Council recommends that the parts of the network that are involved with cardholder data be isolated, which makes it possible to rein in the network environment subject to the standard. Otherwise, an organization's entire network can be subject to PCI DSS and, consequently, to the annual assessment.

A CenturyLink Customer is going through a PCI audit, what do we provide them?

Customers going through a PCI audit can leverage the existing CenturyLink PCI ROC Letter and Attestation of Compliance (AOC) from our PCI auditor (QSA) as part of their audits. This means the Customer's auditor does not need to audit those areas again; they can just leverage the audit CenturyLink conducted. This Letter contains the date of the assessment, the scope, responsibility matrix for each in-scope requirement, as well as the result of the assessment. The AOC is the official PCI Certification document. These documents may be shared with the customers QSA.

Is CenturyLink considered a Service Provider under PCI definitions?

Yes. CenturyLink is listed as a Hosting Service Provider on the VISA website.

View a Dedicated Cloud Compute architecture for PCI compliance.

Data Center Locations
  • Albuquerque, NM (AB3)
  • Atlanta, GA (AT1)
  • Bangalore, India (BLR2)
  • Boston, MA (B01, B02, B03)
  • Burbank, CA (BR1/POP)
  • Chicago, IL (CH2, CH3, CH4/POP)
  • Columbus, OH (CL1)
  • Dallas, TX (DL 1, DL2)
  • Denver, CO (DN1, DN2, DN3)
  • Frankfurt, Germany (FR6)
  • Hong Kong (HK2)
  • Houston, TX (HSPOP)
  • Jersey City, NJ (NJ1)
  • Kansas City, MO (KSPOP)
  • London, United Kingdom (L01, L03, L04, L05, L06)
  • Los Angeles, CA (LA1)
  • Minneapolis, MN (MP1, MP2)
  • Montreal, Canada (MR1)
  • Newark, NJ (NJ5)
  • Orange County, CA (OC2)
  • Phoenix, AZ (PH1, PH2, PHPOP)
  • Piscataway, NJ (NJ3, NJ4)
  • Santa Clara, CA (SC4, SC5, SC8, SC9)
  • Seattle, WA (SE2, SE3, SE4/POP)
  • Singapore (SG2, SGS)
  • St. Louis, MO (SL1)
  • Sterling, VA (DC2, DC3, DC4, DC5, DC6, DC7)
  • Sunnyvale, CA (SN 1, SN2)
  • Tampa, FL (TP1, TPPOP)
  • Tokyo, Japan (TY6)
  • Toronto, Canada (TR1, TR3)
  • Vancouver, Canada (VC1)
  • Washington, DC (DCPOP)
  • Weehauken, NJ (NJ2, NJ2)

These colocation data centers are certified for PCI compliance:

United States

  • Albuquerque (ABQ1)
  • Atlanta (ATL1)
  • Boston (BOS1, BO2, BO3)
  • Chicago (ORD1, ORD2)
  • Columbus (CMH1)
  • Dallas (DFW1, DL1, DL2)
  • Denver (DEN1, DEN2)
  • Las Vegas (LAS10, LAS11, LAS12)
  • Los Angeles (LAX1, LAX2, LAx3)
  • Minneapolis (MSP1)
  • Moses Lake (MSP1)
  • New York/New Jersey (EWR1, EWR2, EWR3, EWR4)
  • Saint Louis (STL1)
  • San Francisco (SFO1, SFO2, SFO3)
  • Seattle (SEA1, SEA2)
  • Tampa (TPA1)


  • Markham (YYZ2)
  • Mississauga (YYZ1)
  • Montreal (YUL1)
  • Vancouver (YVR1)


  • London (LHR1, LHR2, LHR3)
  • Frankfurt (FRA1)

Asia Pacific

  • Singapore (SIN1, SIN2)
  • Tokyo (HDN1)
  • Hong Kong (HKG1)

Related Products

Cloud Servers

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.