AWS Security Blog

AWS Becomes First Cloud Service Provider to Adopt New PCI DSS 3.2

PCI Security Standards Council logo

We are happy to announce the availability of the Amazon Web Services PCI DSS 3.2 Compliance Package for the 2016/2017 cycle. AWS is the first cloud service provider (CSP) to successfully complete the assessment against the newly released PCI Data Security Standard (PCI DSS) version 3.2, 18 months in advance of the mandatory February 1, 2018, deadline. The AWS Attestation of Compliance (AOC), available upon request, now features 26 PCI DSS certified services, including the latest additions of Amazon EC2 Container Service (ECS), AWS Config, and AWS WAF (a web application firewall). We at AWS are committed to this international information security and compliance program, and adopting the new standard as early as possible once again demonstrates our commitment to information security as our highest priority. Our customers (and customers of our customers) can operate confidently as they store and process credit card information (and any other sensitive data) in the cloud knowing that AWS products and services are tested against the latest and most mature set of PCI compliance requirements.

What’s new in PCI DSS 3.2?

The PCI Standards Council published PCI DSS 3.2 in April 2016 as the most updated set of requirements available. PCI DSS version 3.2 has revised and clarified the online credit card transaction requirements around encryption, access control, change management, application security, and risk management programs. Specific changes, per the PCI Security Standards Council’s Chief Technology Officer Troy Leach, include:

  • A change management process is now required as part of implementing a continuous monitoring environment (versus a yearly assessment).
  • Service providers now are required to detect and report on failures of critical security control systems.
  • The penetration testing requirement was increased from yearly to once every six months.
  • Multi-factor authentication is a requirement for personnel with non-console administrative access to systems handling card data.
  • Service providers are now required to perform quarterly reviews to confirm that personnel are following security policies and operational procedures.

Intended use of the Compliance Package

The AWS PCI DSS Compliance Package is intended to be used by AWS customers and their compliance advisors to understand the scope of the AWS Service Provider PCI DSS assessment and expectations for responsibilities when using AWS products as part of the customer’s cardholder data environment. Customers and assessors should be familiar with the AWS PCI FAQs, security best practices and recommendations published in Technical Workbook: PCI Compliance in the AWS Cloud. This Compliance Package will also assist AWS customers in:

  • Planning to host a PCI Cardholder Data Environment at AWS.
  • Preparing for a PCI DSS assessment.
  • Assessing, documenting, and certifying the deployment of a Cardholder Data Environment on AWS.

Additionally, the AWS PCI DSS Compliance Package contains AWS’s Attestation of Compliance (AoC). Provided by a PCI SSC Qualified Security Assessor Company, the AoC attests that AWS is a PCI DSS “Compliant” Level 1 service provider. Service provider Level 1, the highest level requiring the most stringent assessment requirements, is required for any service provider that stores, processes, and/or transmits more than 300,000 transactions annually. Our AoC also provides AWS customers assurance that the AWS infrastructure meets all of the applicable PCI DSS requirements. Note: As a part of the Payment Brand’s annual PCI DSS compliance validation process for Service Providers, AWS AoC is also approved by Visa and MasterCard.

Our Compliance Package also includes a Responsibility Summary, which illustrates the Shared Responsibility Model between AWS and customers to fulfill each of the PCI DSS requirements. This document was validated by a Qualified Security Assessor Company and the contents in this document are aligned with the AWS Report on Compliance.

This document includes:

  • An Executive Summary, a Business Description, and the Description of PCI DSS In-Scope Services.
  • PCI DSS Responsibility Requirements – AWS & Customers Responsibilities for In-Scope Services.
  • Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
  • Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS.

To request an AWS PCI DSS Compliance Package, please contact AWS Sales and Business Development. If you have any other questions about this package or its contents, please contact your AWS Sales or Business Development representative or visit AWS Compliance website for more information.

Additional resources

Chad Woolf
Director, AWS Risk and Compliance