Topics on this page
Check For Non Compliant Check For Non Compliant Pci Dss Aws Services And Resources
Ensure that all AWS services and resources used by your e-commerce applications running within your AWS account are PCI DSS compliant in order to maintain a secure environment for storing, processing and transmitting credit card information. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by PCI Security Standards Council, an organization originally formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers and service providers.
The PCI DSS is authorized by the card brands and administered by the Payment Card Industry Security Standards Council. As a customer who uses AWS products and services to store, process or transmit cardholder data, you can rely on AWS cloud infrastructure as you manage your own PCI DSS compliance certification. Amazon Web Services does not directly store, transmit or process any customer cardholder data (CHD) but you can create your own cardholder data environment (CDE) that can store, transmit or process cardholder data using AWS products. And since security and compliance is a shared responsibility between AWS and its customers, they should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their application environment, and applicable laws and regulations. Therefore, you can obtain PCI DSS compliance for your e-commerce websites and applications using only PCI DSS-eligible AWS services and resources.
AWS BAA
- Amazon API Gateway
- Amazon Athena
- Amazon Cloud Directory
- Amazon CloudFront
- Amazon CloudWatch Logs
- Amazon Cognito
- Amazon Comprehend
- Amazon Connect
- Amazon DocumentDB (with MongoDB compatibility)
- Amazon DynamoDB
- Amazon ElastiCache for Redis
- Amazon Elastic Container Registry (ECR)
- Amazon Elastic Container Service (ECS) - including both Fargate and EC2 launch types
- Amazon Elastic Container Service for Kubernetes (EKS)
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Compute Cloud (EC2)
- Amazon Elastic MapReduce
- Amazon Elastic File System (EFS)
- Amazon Elasticsearch Service
- Amazon FreeRTOS
- Amazon FSx
- Amazon Glacier
- Amazon GuardDuty
- Amazon Inspector
- Amazon Kinesis Data Analytics
- Amazon Kinesis Data Streams
- Amazon Kinesis Data Firehose
- Amazon Kinesis Video Streams
- Amazon Macie
- Amazon MQ
- Amazon Neptune
- Amazon Polly
- Amazon Quicksight
- Amazon Redshift
- Amazon Rekognition
- Amazon Relational Database Service (RDS) - including Amazon Aurora
- Amazon Route 53
- Amazon S3 Transfer Acceleration
- Amazon SageMaker
- Amazon SimpleDB
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (S3)
- Amazon Simple Notification Service (SNS)
- Amazon Simple Workflow Service (SWF)
- Amazon Transcribe
- Amazon Translate
- Amazon Virtual Private Cloud (VPC)
- Amazon WorkDocs
- Amazon WorkSpaces
- Amazon Auto Scaling
- Amazon AppSync
- Amazon Backup
- Amazon Batch
- Amazon Certificate Manager (ACM)
- Amazon CodeBuild
- Amazon CodeCommit
- Amazon CloudFormation
- Amazon CloudHSM
- Amazon CloudTrail
- Amazon Config
- Amazon Database Migration Service
- Amazon DataSync
- Amazon Direct Connect
- Amazon Directory Service for Microsoft and AD Connector
- Amazon Elastic Beanstalk
- Amazon Elemental MediaConnect
- Amazon Firewall Manager
- Amazon Global Accelerator
- Amazon Glue
- Amazon IoT Greengrass
- Amazon Identity & Access Management (IAM)
- Amazon IoT Core - including Device Management
- Amazon Key Management Service
- Amazon Lambda
- Amazon Lambda@Edge
- Amazon Managed Services
- Amazon OpsWorks CM - including Chef Automate and Puppet Enterprise
- Amazon OpsWorks Stacks
- Amazon RoboMaker
- Amazon Secrets Manager
- Amazon Serverless Application Repository
- Amazon Server Migration Service (SMS)
- Amazon Service Catalog
- Amazon Shield
- Amazon Snowball
- Amazon Snowball Edge
- Amazon Snowmobile
- Amazon Step Functions
- Amazon Storage Gateway
- Amazon Systems Manager
- Amazon Transfer for SFTP
- Amazon WAF
- Amazon X-Ray
- Amazon Elastic Load Balancing
- Amazon VM Import/Export
Verify the updated list of AWS services and resources that support PCI DSS requirements before you design, create, modify or upgrade your PCI-compliant application environment inside your AWS account. An example of non-compliant PCI DSS service is Amazon CloudSearch, a fully managed service that makes it easy to set up, manage and scale a search solution for your website or application, as Amazon CloudSearch resources are not compliant at this moment. Because these types of AWS resources are not yet eligible, your cloud application will fail to achieve PCI DSS compliance as long as is processing or transmitting cardholder data (CHD) using AWS CloudSearch resources. Therefore, Cloud Conformity strongly recommends to terminate any non-compliant PCI DSS resources (e.g. Amazon CloudSearch search domains) in order to obtain PCI DSS compliance within your AWS account. To help your organization maintain PCI DSS compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the PCI data security standard.
Rationale
Amazon Web Services is certified as a PCI DSS 3.2 Level 1 Service Provider. The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers by using Amazon Artifact, a self-service portal for on-demand access to AWS compliance reports such as Payment Card Industry (PCI) and Service Organization Control (SOC) reports. That being said, AWS provides the necessary protections to satisfy the PCI DSS security requirements, so that you can use PCI-compliant cloud services and resources to build e-commerce websites and applications that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD). However, not all AWS components are PCI DSS-eligible, so using services and resources that fail to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) regulations can lead to damaging financial and reputational effects, legal actions or even to fines between $5,000 to $100,000 per month for violating PCI DSS security rules.