Amazon Confirms EC2/S3 Not PCI Level 1 Compliant

Jason writes "After months of digging though speculation and polar opposite opinions from PCI experts, I finally sent a direct request to Amazon's AWS sales team asking if they are in fact PCI compliant and will provide documentation attesting that they are as is required by PCI guidlines. I fully expecting them to dodge the question and refer me to a QSA, but to my relief, they replied with a refreshingly honest and absolute confirmation that it is currently impossible to meet PCI level 1 compliance using AWS services for card data storage. They also very strong suggest that cardnumbers never be stored on EC2 or S3 as those services are inherently noncompliant. For now at least, the official verdict is if you need to process credit cards, the Amazon cloud platform is off the table."

Amazon payments

That is ok, you can just use amazon payments, and probably pay less commissions than you would on your own and not have to worry about storing cc data

Re:Amazon payments

Exactly,

For now at least, the official verdict is if you need to process credit cards, the Amazon cloud platform is off the table

Unless of course you just call a remote API or website to do it. Services like Paypal just need a retailer id and a product/price and they handle the rest. You could even write your own non-Amazon service for the sensitive parts of the transaction.

Good thing...

I'm glad this was posted to slashdot. Now I know not to buy the EC2 or S3 cards for my machine. I mean, if they're not PCI compliant, I'm going to guarantee they don't have FOSS linux kernel drivers. The PCI spec is so old anyway. Any word on when Amazon will make new boards compliant to PCIE with FOSS drivers? Someone who knows, please post a reply.

Farm it out.

[Gordonjcp]

Why would you jump through the hoops of processing credit card data yourself, instead of getting one of the many - including, as another poster pointed out, Amazon - credit card processing sites to do it for you?

Consideration

[jasomill]

After months of digging though speculation and polar opposite opinions from PCI experts, I finally sent a direct request to Amazon's AWS sales team asking if they are in fact PCI compliant

It's awfully considerate of you to invest large amounts of effort in research to avoid bothering the sales team with, you know, sales inquiries.

Who would have tought?

[netpixie]

It sounds like they really are behind the times. I mean, not even PCI compliant, I'd have expected at least AGP or PCI-X as a bare minimum.

Mind you, I wonder if this is an old story as I'm fairly sure S3 stopped making video cards many years ago.

On another point, I too have often turned to the Queensland Swimming Association for all of my questions about All Women Shortlists, I find they are very knowledgeable.

Re:Who would have tought?

[Barny]

For those lacking humor components in their brains, the parent (and a few other people) along with myself would like to say.

FOR FUCK SAKE GIVE US SOME MEANINGFUL POINT OF REFERENCE FOR THESE ACRONYM FILLED NON-STORIES.

Re:Who would have tought?

[ubernostrum]

I once experimented with producing summaries that people like you might appreciate. Turns out they don't work so well.

Who is PCI compliant?

[julesh]

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Err.. quite tricky when your machine is a virtual host that you're accessing over the Internet. Whatever firewall you set up, _you_ need to have a way around it. Very few people bother with VPNs or the like; most virtual hosting packages I've seen have FTP and other services open to all. This seriously compromises its security.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Most web development companies I've worked with always want to transfer data around over unencrypted FTP, often including database backup files. The chances are, if you have a subcontractor handling your e-commerce web site, they're violating this requirement on a regular basis.

Requirement 5: Use and regularly update anti-virus software

Oh, yeah. Everyone has antivirus installed on their web servers. Wait... you mean they don't? What's this Linux thing?

Requirement 6: Develop and maintain secure systems and applications

Ha!

Requirement 9: Restrict physical access to cardholder data

Somewhat difficult when you're not hosting the system yourself, so this requirement can only be met by less than 1% of e-commerce retailers out there.

Requirement 11: Regularly test security systems and processes

When was the last time you performed a penetration test on your network?

Level 1 compliant? Level 2 compliant? Wat?

[CoccoBill]

"As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. "

There seems to be a dangerous misunderstanding about PCI validation requirements in the reply from Amazon. There's no such thing as "level x compliance", the levels refer to merchant levels set by the acquirer. The merchant level is determined by the volume of credit card transactions for a single card brand (e.g. Visa). The actual security requirements for all 4 merchant levels are EXACTLY the same, the only difference is how the compliance has to be validated. Level 1 merchants are required to perform an on-site audit by a QSAP annually, whereas the other levels only require filling a self-assessment questionnaire (SAQ) once a year. Quarterly vulnerability scans by an ASV are required for all levels except 4, where they are optional.