Hosting a PCI compliant app on GCP is straightforward.

  • Create a separate project for all the PCI Data.  The actual web tier should reside in a different project from the pcidata project.
  • Ensure that firewall rules protect ingress into the pcidata network
  • Ensure that there is a load balancer in front of web traffic - for HTTPS traffic from end users.

What about compliance monitoring?

You would want to use Security Command Center - Premium Tier. For In the Premium tier, Security Health Analytics includes monitoring and reporting for:

    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001