AWS Security Blog

PCI Compliance in the AWS Cloud

PCI compliance in the cloud is an important topic for many of our customers. Our PCI FAQ page has received more than 45,000 views, and we have issued our PCI compliance package directly to customers in all major regions and industry verticals. To build on our growing demand of PCI enablers, today we’re happy to announce the release of a new PCI compliance resource for customers. We’ve partnered with Anitian, a Qualified Security Assessor Company (QSAC), on the development and publication of a Workbook for PCI Compliance in the AWS Cloud. This workbook provides guidance around AWS service methodologies for deploying PCI compliance capability within AWS.

The new PCI workbook provides three sample reference architectures outlining the most common PCI-compliant environments:

  1. Dedicated – An AWS PCI environment that is not connected to anything else.
  2. Segmented – A larger AWS environment that has both a Card Data Environment (CDE) and in-scope systems.
  3. Connected – An environment that has both AWS and on-premises items.

Additionally, the workbook contains general guidance and strategies for using AWS services to meet the twelve top-level PCI requirements, as well as links and tips for configuring the use of AWS in a PCI-compliant manner.

Please contact us with questions about complying with financial service regulations or meeting your compliance requirements in the cloud.

– Chad Woolf, Director, AWS Risk and Compliance

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.