Yes, as the thread I posted states, salesforce.com as an organization are PCI compliant, but the Salesforce.com Sales Cloud, Service Cloud, Force.com applications are not and why would they be? (e.g. Where in the standard build does it hold Credit Card details?).
The answer will be the same as for any system in an organisation, it's part of the end-customer's PCI compliance assessment. If you are capturing Credit Card data and storing it in Salesforce.com, even in an encrypted field, I strongly suggest you review this. The Data Residiency Option (whenever it becomes GA) would be a potenital solution for PCI compliance.
The platform isn't. But check this thread for workarounds: http://boards.developerforce.com/t5/General-Development/Is-the-Force-com-platform-PCI-DSS-compliant/td-p/69636
It never used to be, but in Nov 2011 they became PCI compliant. It's on VISA's list of PCI certified customers.
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
However, our clients want more than that just a reference to the list.
Yes, as the thread I posted states, salesforce.com as an organization are PCI compliant, but the Salesforce.com Sales Cloud, Service Cloud, Force.com applications are not and why would they be? (e.g. Where in the standard build does it hold Credit Card details?).
The answer will be the same as for any system in an organisation, it's part of the end-customer's PCI compliance assessment. If you are capturing Credit Card data and storing it in Salesforce.com, even in an encrypted field, I strongly suggest you review this. The Data Residiency Option (whenever it becomes GA) would be a potenital solution for PCI compliance.
HTH