It\u2019s all in the cloud. Well, if you listen to corporate marketing, everything is in the cloud (or moving there shortly). Wouldn\u2019t it be best to offload all your data (and your concerns) to someone up in the cloud \u2013 like Microsoft, Amazon, Google or any one of the myriad of independent cloud providers? You could even go and create your own private cloud, but neither a private cloud nor any other cloud solution gets you around the compliance tasks you\u2019re responsible for now.\nYou\u2019re still responsible for the control, protection and disposition of your data \u2013 regardless of where it resides. PCI-DSS 3.0 is a perfect example, and, luckily, they\u2019ve laid it all out for us. Corporations are responsible both for establishing requirements and reviewing them with any third party vendors who have access to data that is covered by regulatory compliance. In effect, as charges of your company, third party vendors are just like any other employee \u2013 and you must ensure that chain of custody is maintained (and compliant) at all times. Sounds like a tall order, doesn\u2019t it? Well, it is, but there are things you can do to make your lives easier and ensure you\u2019re always in compliance.\nFirst, communicate the broad and specific requirements with any third party vendor who has access to (or even controls who has access to) your data. Assume that their assets are under the same set of controls you have on premises. Make sure they know you can be audited at any time, and, therefore, they could be asked for audit reporting on any or all of the requirements, also at any time. Next, establish a date at which you can randomly spot check your third party vendors for compliance (by asking for auditor-ready reports). Be sure to have primary and secondary contacts for your vendors in case someone should change roles or be unavailable for you. You also should have a service level agreement in place that covers both response to the request and delivery of assets (reports, in this case), so that what you need, and when you need it, are clear.\nFinally, put a process in place that allows for anyone in your company to initiate a request for audit reports from your vendors. This should be a step-by-step guide with complete information on who to contact, what to ask, and what the deliverables should look like.