Amazon recently announced that their AWS infrastructure has gained PCI compliance. With the recent changes in the PCI DSS specification that allow virutalization of components (with certain restrictions), Amazon has made it a priority to get through the rigor of compliance certification so that it’s easier for merchants to take advantage of cloud-based services.
This is a huge step forward. Huge. Prior to the PCI DSS 2.0, compliant environments had restrictions that required data to be stored on physical servers. Under the 2.0 specification, virtualizaion is allowed as long as a virtual server is assigned a single purpose (e.g., a database server) and is properly secured (firewalls, encryption, etc). By moving to an already compliant environment on AWS, merchants and service providers can not only lower the cost of gaining PCI compliance, they can also save a bundle on infrastructure. In taking this step, Amazon has done the eCommerce market a huge favor.
Still, PCI compliance does require an investment from the merchant and service provider. While Amazon has already invested in gaining compliance for AWS in general, merchants and service providers must still gain certification. To quote Amazon directly, “All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure, including how you manage the cardholder environment that you host with AWS.“