Amazon Web Services Can't Offer Level-One PCI Compliance

Lora Bentley

If your business is one that accepts and processes credit card data and, thus, must maintain compliance with the PCI Data Security Standard, Gemini Security Solutions offered a great Monday reminder.


It is impossible to achieve Level 1 PCI compliance using Amazon's EC2 (computing) or S3 (storage) cloud services. One can, however, build a PCI Level 2 compliant application atop Amazon's cloud. The e-commerce giant explained the situation on a Web services discussion board as follows:

As for PCI level 2 compliance, that requires external scanning via a third party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our Amazon Web Services cloud using EC2 and S3, but you cannot achieve level 1 compliance... If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.


Gemini reiterates that "cloud computing isn't for everything" and gives Amazon props for admitting it.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Aug 20, 2009 9:51 AM Andy Andy  says:

It is surprising how much publicity gets the negative news. I think we should respect the Amazon's honesty when it comes to security compliance of their cloud platform.

Sep 2, 2009 1:29 PM Betty Betty  says: in response to Andy

can anyone tell me what "Level-One PCI Compliance" means?

Apr 15, 2010 11:31 AM David M. Zendzian David M. Zendzian  says:

PCI requirements are the same for everyone, be it the level 1 (walmart) to the level 4 (corner store/flea market using credit cards).  You can get a copy of the standard at http://www.pcisecuritystandards.org.

The requirements for levels are set by the card brands themselves:

  visa: http://www.visa.com/cisp/

  mastercard: http://www.mastercard.com/sdp/

They are all have same basic requirements except the levels are defined slightly different for each card brand.  But generally a level 1 is required to have a certified (PCISSC) QSA perform an on-site validation (following pci-dss) for the company.

And generally everyone else (level 2-4) is required to do just a self assessment questionnaire. I say generally because mastercard now has all level 2s required to have an on-site QSA validation.

The questions and requirements for all levels, be they self attested or 3rd party QSA validated, are the same. 

So it is nice that amazon is stating that they do not have the ability to perform the on-site items; but they didn't do it from the goodness of their corporation, they did it to prevent future legal liability.

So if you are going to host with amazon and are required to be PCI compliant, you store/transmit or process card data (and transmit includes "just posting from customer to web site and directly back out to processor"), then you need to be able to answer all questions.  How can you, as a customer of amazon, get the data-center, personnel, policy, procedure related questions answered by amazon and if you can't get them answered then how can you complete the questionnaire which you are going to legally attest to being correct.

Good luck to anyone going through the process!



Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.