Aug 14 2009
I’ve long said that as it currently stands, it’s going to be nearly impossible to become PCI compliant using any of the cloud based solutions. Scanning, auditing and even the contractual requirements of PCI guarantee that you won’t be able to be compliant if you’re using the cloud. The good thing is that at least Amazon is being perfectly honest about this and is telling their customers that EC2 and S3 aren’t compliant solutions, instead offering up their their Flexible Payment Solution (FPS) as a way to use their services in a compliant way.
Be wary when looking at a cloud solution for processing or storing you business’ credit card transactions. Not all of the sales people are going to be familiar with the PCI requirements and may steer you wrong. They may believe that their solution is perfectly secure and is compliant, without realizing how difficult the scanning, or even the contractual, requirements are for a company to meet. But best intentions won’t be enough if you’re relying on their solution to secure your transactions and make you compliant.
Here it is, straight from the horses mouth. Twice.
Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets ( http://aws.amazon.com/fps).
As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.
Amazon Web Services
Thanks for contacting us. I manage sales for AWS in the Southwest Region.
We are excited to hear about your interest in moving to EC2. We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data. Please see below for our general guidance on PCI compliance.
From a compliance and risk management perspective, we recommend customers not to store sensitive credit card payment information on EC2/S3 systems as they are not inherently PCI level 1 compliant. It is quite feasible one to run an entire application in AWS cloud while keeping the credit card data stored on within the local servers at the customer site, which are available for auditing, scanning, and on-site review at any time. As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3.
Flexible Payment Service (FPS), which is AWS payment system is PCI compliant and it is an “alternative payment processing service” meaning a customer’s users re-direct to our platform to conduct the payment event using their credit cards or bank accounts.
Let me know if you any follow-up questions.
Amazon Web Services
You can view the full thread on the Amazon site.
10 Responses to “Cannot achieve PCI compliance with Amazon EC2/S3”