PCI
Payment Card Industry Standards
Overview
AWS demonstrates adherence to various Payment Card Industry (PCI) Security Standards and is regularly assessed by a PCI Qualified Security Assessor (QSA). AWS undergoes evaluation against the following PCI Security Standards:
- PCI Data Security Standard (DSS) - Proprietary information security standard administered by the PCI Security Standards Council (PCI SSC), which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the PCI SSC.
- PCI 3-D Secure (3DS) Security Standard - Defines security requirements to protect environments where specific 3DS functions are performed, to enable secure consumer authentication for e-commerce and m-commerce purchases.
- PIN Security Standard (PIN) - Defines security requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.
- PCI Point-to-Point Encryption (P2PE) Security Standard - Defines security requirements for P2PE Solutions, P2PE Components, and P2PE Applications, to protect payment account data via encryption from the point it is captured in the merchant’s payment device to the point it is decrypted in a solution provider’s or component provider’s environment.
Attestation of Compliance (AOC) and Responsibility Summary for all the standards are available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Page topics
General FAQs
Open allAre PCI standards public?
Yes. You can download the PCI standards from the PCI Security Standards Council Document Library.
Which AWS services are compliant with each PCI security standard?
For the list of AWS services that are PCI DSS, PCI 3DS, PCI PIN and PCI P2PE compliant, see the list on AWS Services in Scope by Compliance Program webpage. For more information about using these services, contact us.
How can I obtain AWS PCI Compliance Packages?
AWS PCI Compliance Packages for each certification are available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Are any AWS Services PCI PIN, PCI P2PE certified?
Yes, AWS CloudHSM and AWS Payment Cryptography are PCI PIN certified. AWS Payment Cryptography is a PCI P2PE certified decryption component. Their reports are available in AWS Artifact for customer use. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Is PCI 3DS attestation available for AWS?
Yes, our annual PCI 3DS reports are available in Artifact. Although, AWS doesn’t perform 3DS functions directly, the AWS PCI 3DS attestation of compliance can help customers to attain their own PCI 3DS compliance for their services running on AWS. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Is AWS compliance applicable internationally?
Yes. Please refer to the latest PCI AOC for the standards you are interested in from AWS Artifact to get the full list of locations that are compliant.
AWS on PCI DSS
Open allIs AWS PCI DSS Certified?
Yes, Amazon Web Services (AWS) is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. The compliance assessment was conducted by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
As an AWS customer, can I rely on the AWS Attestation of Compliance (AOC) or will additional testing be required to be fully compliant?
Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCI DSS requirements. However, for the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on the AWS Attestation of Compliance (AOC) without further testing.
What does this mean to me as a PCI DSS merchant or service provider?
As a customer who uses AWS services to store, process, or transmit cardholder data, you can rely on AWS technology infrastructure as you manage your own PCI DSS compliance certification. AWS does not directly store, transmit, or process any customer cardholder data (CHD). However, you may create your own cardholder data environment (CDE) that can store, transmit, or process cardholder data using AWS services.
What does this mean to me as a non-PCI DSS merchant customer?
Even if you are a non-PCI DSS customer, our PCI DSS compliance demonstrates our commitment to information security at every level. Because the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices.
What does the AWS PCI DSS Compliance Package contain?
The AWS PCI Compliance Package includes:
- AWS PCI DSS Attestation of Compliance (AOC)
- AWS PCI DSS Responsibility Summary
How can I learn which PCI DSS controls I am responsible for?
For detailed information please see "AWS PCI DSS Responsibility Summary" from the AWS PCI DSS Compliance Package, available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact. Customers can also request audit and compliance advisory services from the AWS Security Assurance Services team.
Is AWS listed on the Visa Global Registry of Service Providers and the MasterCard Compliant Service Provider List?
Yes, AWS is listed on both the Visa Global Registry of Service Providers and the MasterCard Compliant Service Provider List. The Service Provider listings further demonstrate that AWS successfully validated PCI DSS compliance and has met all applicable Visa and MasterCard program requirements.
Does the PCI DSS standard require single-tenant environments in order to be compliant?
No. The AWS environment is a virtualized multi-tenant environment. AWS has effectively implemented security management processes, PCI DSS requirements, and other compensating controls that effectively and securely segregate each customer into its own protected environment. This secure architecture has been validated by an independent QSA and was found to be in compliance with all applicable requirements of PCI DSS.
PCI Security Standards Council has published PCI DSS Cloud Computing Guidelines for customers, service providers, and assessors of cloud computing services. It also describes service models and how compliance roles and responsibilities are shared between providers and customers.
Do QSAs for Level 1 merchants require a physical walkthrough of AWS data centers?
No. The AWS Attestation of Compliance (AOC) demonstrates an extensive assessment of physical security controls of AWS data centers. It is not necessary for a merchant’s QSA to verify the security of the AWS data centers.
Does AWS support forensic investigations?
AWS is not considered a "Shared Hosting Provider" under PCI-DSS. As a result, DSS requirement A1.4 is not applicable. Under our Shared Responsibility Model, we enable our customers to perform digital forensics investigations in their own AWS environments without requiring additional assistance from AWS. This ability is provided through the use of both AWS services and third-party solutions available via AWS Marketplace. For more information, see the following resources:
Is there a special PCI DSS compliant environment I need to specify when connecting servers or uploading objects to store?
As long as you are using AWS services that are PCI DSS compliant, the entire infrastructure that supports in-scope services is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI DSS compliant environment, globally. For the list of AWS services that are PCI DSS compliant, see the PCI tab on the AWS Services in Scope by Compliance Program webpage.
How do companies comply with PCI DSS?
There are two primary approaches that companies take to validate their PCI DSS compliance on an annual basis. The first approach is to have an external Qualified Security Assessor (QSA) assess your applicable environment and then create a Report on Compliance (ROC) and Attestation of Compliance (AOC); this approach is most common for entities that handle large volumes of transactions. The second approach is to perform a Self-Assessment Questionnaire (SAQ); this approach is most common for entities that handle smaller volumes of transaction.
It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
Has anyone achieved PCI DSS certification on the AWS platform?
Yes, numerous AWS customers have successfully deployed and certified part or all of their cardholder environments on AWS. AWS does not disclose the customers who have achieved PCI DSS certification, but does regularly work with customers and their PCI DSS assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.