The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants and service providers) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong security measures
- Regularly test and monitor networks
- Maintain an information security policy
All organizations processing credit card information, regardless of their deployment model, are required to be certified. For larger merchants (Merchant Level 1 is the largest type), validation of by independent and approved reviewer is required. A PCI Qualified Security Assessor (QSA) is authorized to perform an independent assessment and certify a vendor.
The AWS services listed below and their supporting infrastructures are PCI DSS compliant. This compliance has been validated by an authorized independent Qualified Security Assessor.
Conversely, PCI "certification" is a term reserved for those merchants who require certification to process credit card transactions. AWS, as a service provider, does not directly manage cardholder environments (and therefore, unlike merchants, does not require certification). AWS provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant. Achieving PCI DSS 3.0 validation for AWS helps our customers obtain their own PCI certification.
Service provider levels are defined as:
- Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
- Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually
Services that support the processing, storage, and transmission of credit card data by a merchant or service provider have been validated as being compliant with PCI standards. These services include:
- AWS Auto Scaling
- AWS CloudHSM
- AWS CloudTrail
- AWS Direct Connect
- Amazon DynamoDB (DDB)
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Compute Cloud (EC2)
- Elastic Load Balancing (ELB)
- Amazon Elastic MapReduce (EMR)
- Amazon Glacier
- AWS Identity and Access Management (IAM)
- Amazon Redshift
- Amazon Relational Database Service (RDS)
- Amazon Route 53
- Amazon SimpleDB (SDB)
- Amazon Simple Storage Service (S3)
- Amazon SQS
- Amazon SWF
- Amazon Virtual Private Cloud (VPC)
- The underlying physical infrastructure (including GovCloud) and the AWS Management Environment
The scope of the AWS PCI compliance for the services defined above applies to AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo).
Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the cardholder environment to AWS can simplify your own PCI compliance by relying on our PCI Compliance.
Our PCI compliance further demonstrates our commitment to information security at every level. Compliance with the DSS standard, validated by an independent third-party audit, confirms that our security management program is comprehensive and follows leading practices. This validation provides more clarity and assurance for customers evaluating the breadth and strength of our security practices.
All merchants manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our PCI compliance, but you will still be required to satisfy all other PCI compliance and testing requirements, including how you manage the cardholder environment that you host with AWS.
Upon request, for customers pursuing PCI certification, AWS will provide a PCI Compliance Package that includes authoritative compliance documentation from the AWS QSA. This includes the QSA’s Attestation of Compliance document and AWS PCI DSS Controls Responsibility Summary, also published by the QSA, which contains:
An Executive Summary, including a business description and the description of the in-scope environment. This content is aligned to that contained in the AWS Report on Compliance. Customer Implementation Considerations, including implementation details to be considered relevant to a PCI environment. Responsibility of PCI Requirements for a Customer’s Environment, which is a detailed matrix of PCI DSS controls and the description of responsibility for each individual control.
The content of this package aid in a customer’s PCI audit by clarifying which controls under PCI DSS are their responsibility vs. which controls are AWS’ responsibility.
The AWS PCI Compliance Package is provided to customers under NDA who request it through their business development contact. If a customer does not know their business development representative, they can contact customer support directly at http://aws.amazon.com/compliance/contact/.
No. AWS conducts PCI compliance assessments separately from other compliance initiatives. PCI assessors are not required to rely on Service Organization Control (SOC 1) reports to complete their certification evaluation or testing; AWS can provide formal PCI documentation upon request.
Yes, numerous AWS customers have successfully deployed and certified part or all of their cardholder environments on AWS. AWS does not disclose the customers who have achieved PCI certification, but does regularly work with customers and their PCI assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.
No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment. This secure architecture has been validated by an independent QSA and was found to be in compliance with all requirements of DSS version 3.0 published in November 2013. Merchants who process, store, and/or transmit credit card data on the AWS infrastructure can be PCI compliant, including Level 1 merchants.
In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud. AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.0, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the cloud.
No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is Level 1 PCI compliant (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.
Yes. AWS manages forensic investigations in alignment with DSS requirement A 1.4. Customers or their designated Qualified Incident Response Assessors (QIRA) can contact AWS as required to perform forensic investigations.
No. The entire infrastructure that supports in-scope services is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI compliant environment, globally.
Yes. There are nine international regions compliant with the PCI DSS standard: US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo). These regions are included in the independent QSA validation scope. PCI is a global standard and does not change based on geography.
Yes. You can download the standard directly from the PCI Security Standards Council.