0

Is the standard Amazon EC2 Cloud server PCI-Compliant? I've just launched an instance and I'm wondering if it meets the PCI Compliance standard for merchant account holders.

meetar
  • 7,443
  • 8
  • 42
  • 73
user3001244
  • 15
  • 4

2 Answers2

2

Yes, AWS is PCI compliant. However, please note that this does not mean that you are PCI compliant just because you use them.

See these statements from AWS' PCI FAQ

AWS does not directly store, transmit, or process any customer cardholder data (CHD). However, you may create your own cardholder data environment (CDE) that can store, transmit, or process cardholder data using AWS products.

AWS will help you by providing hardware that is PCI compliant. They take care of some requirements such as data center security and data at rest encryption. You are still required to encrypt and manage sensitive data stored on, and passing through, your servers as well as any AWS services that you use.

Your best bet here is to avoid storing any sensitive data without your own application as a merchant. If you are using a third party payments processor they will most likely provide a solution that allows you to avoid touching the card hold data so that you are not required to become fully PCI level 1 compliant. Instead you can complete a self-assessment questionnaire (SAQ) showing that you have taken the required steps to keep yourself out of scope.

Unless you have a compelling reason to store the data yourself I strongly recommend staying out of PCI scope as much as possible.

mjallday
  • 9,796
  • 9
  • 51
  • 71
0

Yes, it is PCI 1 compliant, meaning that if your servers are set up properly, you can also obtain level 1 compliance. I recommend using VPC to make this process a lot easier on your self and your auditor.

Kevin Willock
  • 1,912
  • 1
  • 13
  • 16
  • Some more information can be found on AWS compliance portal: http://aws.amazon.com/compliance/pci-dss-level-1-compliance-faqs/ – Guy Nov 28 '13 at 20:12