Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Confirms EC2/S3 Not PCI Level 1 Compliant

Posted by timothy on from the division-of-resources dept.

Jason writes "After months of digging though speculation and polar opposite opinions from PCI experts, I finally sent a direct request to Amazon's AWS sales team asking if they are in fact PCI compliant and will provide documentation attesting that they are as is required by PCI guidlines. I fully expecting them to dodge the question and refer me to a QSA, but to my relief, they replied with a refreshingly honest and absolute confirmation that it is currently impossible to meet PCI level 1 compliance using AWS services for card data storage. They also very strong suggest that cardnumbers never be stored on EC2 or S3 as those services are inherently noncompliant. For now at least, the official verdict is if you need to process credit cards, the Amazon cloud platform is off the table."

8 of 157 comments (clear)

  1. Amazon payments by Anonymous Coward · · Score: 5, Insightful

    That is ok, you can just use amazon payments, and probably pay less commissions than you would on your own and not have to worry about storing cc data

  2. Re:Who would have tought? by Barny · · Score: 5, Insightful

    For those lacking humor components in their brains, the parent (and a few other people) along with myself would like to say.

    FOR FUCK SAKE GIVE US SOME MEANINGFUL POINT OF REFERENCE FOR THESE ACRONYM FILLED NON-STORIES.

    --
    ...
    /me sighs
  3. Re:Consideration by jdigriz · · Score: 4, Insightful

    Shows a healthy distrust of salesmen. Even if they're not actually dishonest, they are frequently clueless.

  4. Re:Who would have tought? by quickOnTheUptake · · Score: 4, Insightful

    Requiring readers to follow multiple links to figure out wtf the summary is about is annoying.

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  5. Re:Good thing... by trentblase · · Score: 4, Insightful

    This post and all "informative" mods: whoosh. How many people on Slashdot actually run a business that accepts credit cards? To real geeks, PCI is and always will be the Peripheral Component Interconnect.

  6. Re:Sure, and a PCI audit costs nothing, right? by bradley13 · · Score: 4, Insightful

    We looked into this at one point: got details on the audit, etc. Technically, it seemed to be a pretty trivial check of your systems. As I recall, you also had to agree to pay for a annual remote check - basically a port scan - which also cost a pretty penny.

    Basically, it's a way of raking in money. Of course, the people who go through with the audit wind up passing the costs on to consumers. This is in addition to the transaction costs of 3-4%, the transaction processing costs, the fees paid by the consumers, etc, etc.

    Can we please find a secure way of using direct debit, so we can cut the credit-card companies out of the loop?

    --
    Enjoy life! This is not a dress rehearsal.
  7. Re:Good thing... by Vectronic · · Score: 4, Insightful

    I realized (or at least hoped) it was a continuation of the original joke, that's why I didn't say something like "y0u 1d107"' I posted the wikis only so that for anyone who actually did want to know what all this gibberish was about, didn't get lost in some wikimess of the comparison of graphical accelerators and the pros and cons of various bus types.

  8. Re:Consideration by dzfoo · · Score: 4, Insightful

    Here's a straighforward response: If you can't find any documentation on it anywhere and if, as you say, Amazon seems to avoid the question, then it is pretty much safe to assume that you should not store your credit card numbers in such system.

    Being "PCI compliant" is hardly a skeleton in the closet, so I doubt any vendor would shy from offering such assurance if it were available.

            -dZ.

    --
    Carol vs. Ghost
    ...Can you save Christmas?