The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary is available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Is AWS PCI DSS Certified?
Yes, Amazon Web Services (AWS) is certified as a PCI DSS 3.2 Level 1 Service Provider, the highest level of assessment available. The compliance assessment was conducted by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Which AWS services are PCI DSS compliant?
What does this mean to me as a PCI DSS merchant or service provider?
As a customer who uses AWS products and services to store, process, or transmit cardholder data, you can rely on AWS technology infrastructure as you manage your own PCI DSS compliance certification.
AWS does not directly store, transmit, or process any customer cardholder data (CHD). However, you may create your own cardholder data environment (CDE) that can store, transmit, or process cardholder data using AWS products.
What does this mean to me as a non-PCI DSS merchant customer?
Even if you are a non-PCI DSS customer, our PCI DSS compliance demonstrates our commitment to information security at every level. Because the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices.
As an AWS customer, can I rely on the AWS Attestation of Compliance (AOC) or will additional testing be required for to be fully compliant?
Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. However, for the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing.
How can I learn which PCI DSS controls I am responsible for?
For detailed information please see "AWS 2016 PCI DSS 3.2 Responsibility Summary" from the AWS PCI DSS Compliance Package, available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
How can I obtain the AWS PCI Compliance Package?
What does the AWS PCI DSS Compliance Package contain?
The AWS PCI Compliance Package includes:
- AWS PCI DSS 3.2.1 Attestation of Compliance (AOC)
- AWS PCI DSS 3.2.1 Responsibility Summary
Is AWS listed on the Visa Global Registry of Service Providers and the MasterCard Compliant Service Provider List?
Does the PCI DSS standard require single-tenant environments in order to be compliant?
No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI DSS requirements, and other compensating controls that effectively and securely segregate each customer into its own protected environment. This secure architecture has been validated by an independent QSA and was found to be in compliance with all requirements of PCI DSS version 3.2 published in April 2016.
PCI Security Standards Council has published PCI DSS Cloud Computing Guidelines 2.0 for customers, service providers, and assessors of cloud computing services. It also describes service models and how compliance roles and responsibilities are shared between providers and customers.
Additionally, Third-Party Security Assurance 2016 provides supplemental information that organizations can use when selecting, using, and managing third-party service providers with whom cardholder data is shared.
Do QSAs for Level 1 merchants require a physical walkthrough of AWS data centers?
No. The AWS Attestation of Compliance (AOC) demonstrates an extensive assessment of physical security controls of AWS data centers. It is not necessary for a merchant’s QSA to verify the security of the AWS data centers.
Does AWS support forensic investigations?
Yes. AWS manages forensic investigations in alignment with DSS requirement A 1.4. Customers or their designated Qualified Incident Response Assessors (QIRA) can contact AWS as required to perform forensic investigations.
Is there a special PCI DSS compliant environment I need to specify when connecting servers or uploading objects to store?
As long as you are using AWS services that are PCI DSS compliant, the entire infrastructure that supports in-scope services is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI DSS compliant environment, globally. For the list of AWS services that are PCI DSS compliant, see the PCI tab on the AWS Services in Scope by Compliance Program webpage.
Is AWS compliance applicable internationally?
Yes. Data centers in the following locations are compliant with the PCI DSS standard: US East (Northern Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central), Europe (Ireland), Europe (Frankfurt), Europe (London), Europe (Paris), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Mumbai), and South America (São Paulo).
Is the PCI DSS standard public?
Has anyone achieved PCI DSS certification on the AWS platform?
Yes, numerous AWS customers have successfully deployed and certified part or all of their cardholder environments on AWS. AWS does not disclose the customers who have achieved PCI DSS certification, but does regularly work with customers and their PCI DSS assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.
How do companies comply with PCI DSS?
There are two primary approaches that companies take to validate their PCI DSS compliance on an annual basis. The first approach is to have an external Qualified Security Assessor (QSA) assess your applicable environment and then create a Report on Compliance (ROC) and Attestation of Compliance (AOC); this approach is most common for entities that handle large volumes of transactions. The second approach is to perform a Self-Assessment Questionnaire (SAQ); this approach is most common for entities that handle smaller volumes of transaction.
It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
What are the requirements for PCI DSS compliance?
Below is a high-level overview of the PCI DSS requirements.
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
What is the AWS position on continued support of the TLS 1.0 protocol?
AWS does not have a campaign to deprecate TLS 1.0 across all services due to some customers (e.g. non-PCI) who require the option of this protocol, however, AWS services are individually assessing the customer impact to disabling TLS 1.0 for their service and may choose to deprecate it.
How does a customer configure AWS architecture to comply with PCI requirement for secure TLS?
All AWS Services in scope for PCI enable TLS 1.1 or greater and some of these services also support TLS 1.0 for customers (non-PCI) who require it. It's the customer’s responsibility to upgrade their systems to initiate a handshake with AWS that uses secure TLS i.e. TLS 1.1 or greater. Customers should use and configure AWS load balancers (Application Load Balancers or Classic Load Balancers) for secure communications using TLS 1.1 or greater by selecting a predefined AWS security policy that can ensure the encryption protocol negotiation between a client and the load balancer uses e.g. TLS 1.2. For example AWS Load Balancer Security Policy ELBSecurityPolicy-TLS-1-2-2018-06 only supports TLS 1.2.
What’s the recommended action for a customer if TLS 1.0 appears in their scan results?
If a customer ASV (Approved Scanning Vendor) scan identifies TLS 1.0 on an AWS API endpoint it means that the API still supports TLS 1.0 as well as TLS 1.1 or higher. Some AWS Services in scope for PCI may still enable TLS 1.0 for customers who require it for non-PCI workloads. The customer can provide proof to the ASV that the AWS API endpoint supports TLS 1.1 or higher by using a tool, such as Qualys SSL Labs, to identify the protocols used. The customer can also provide evidence that they enable a secure TLS handshake by connecting through an AWS Classic or Application Load Balancer that is configured with an AWS Load Balancer Security Policy that only supports TLS 1.1 or higher (e.g. ELBSecurityPolicy-TLS-1-2-2017-01 only supports v1.2). The ASV may require the customer to follow a scan vulnerability dispute process and the evidence outlined can be used as proof of compliance. Alternately, engaging their ASV early and providing this evidence to the ASV prior to the scan may streamline the assessment and support a passing ASV scan.