Amazon Web Services Payment Card Industry Data Security Standard (PCI DSS) v4.0 on AWS
Introduction
Our mission at AWS Security Assurance Services (AWS SAS) is to ease Payment Card Industry Data
Security Standard (PCI DSS) compliance for Amazon Web Services (AWS) customers. We work closely
with AWS teams to answer customer questions about understanding their compliance, finding and
implementing solutions, and optimizing their controls and assessments. We have compiled frequently
asked and foundational questions about PCI DSS compliance to create this guide, the Payment Card
Industry Data Security Standard (PCI DSS) v4.0 on AWS Compliance Guide. This guide is an overview of
concepts and principles to be considered when building PCI DSS compliant applications. Each section is
thoroughly referenced to source AWS documentation to support implementation and meeting PCI DSS
reporting requirements. Please note that this guide is intended to provide only general considerations
for complying with PCI DSS and may not address specific issues and concerns of any specific AWS
customer.
The guide helps customers who are developing payment applications, compliance teams that are
preparing to manage assessments of cloud applications, internal assessment teams, and PCI QSAs
supporting customers who use AWS.
PCI DSS is a set of baseline security requirements developed to encourage and enhance payment card
account data security. Account data includes both cardholder data (CHD) and sensitive authentication
data (SAD). Cardholder data consists of the primary account number (PAN), the cardholder’s name, the
card’s expiration date, and the service code. SAD includes the full track data (magnetic-stripe data or the
equivalent on a chip), CAV2/CVC2/CVV2/CID codes, and PINs and/or PIN blocks. The broader
environment where this account data exists is the cardholder data environment, or CDE. Within the
CDE exist system components, which are the people, processes, and technology associated with the
processing of customer account data. The CDE is made up of three sets of resources: system
components that themselves store, process, or transmit account data, system components that have a
logical connection to (are “connected to”) the first set of resources, and system components that could
impact the security of the other two sets of resources as well as themselves. These system components
must be protected, and require careful planning to both implement and demonstrate compliance of PCI
DSS controls.
PCI DSS defines baseline technical and operational requirements that are designed to protect account
data. Security and compliance are important shared responsibilities between AWS and the customer. It
is the customers’ responsibility to maintain their PCI DSS CDE and scope and be able to demonstrate
compliance with PCI DSS requirements, but customers are not alone on this journey. The use of PCI DSS
compliant AWS services can help facilitate customer compliance, and the AWS SAS team can help
customers with additional information specific to demonstrating the PCI DSS compliance of their AWS
workloads. The AWS SAS team consists of industry-certified assessors and QSAs to help customers
achieve, maintain, and automate compliance in the cloud. Our services provide you with subject matter
expertise in pre-assessment activities, advisory, and best practices to accelerate your path to
compliance. Contact us to learn more about our engagements.