How to achieve PCI DSS Compliance for AWS A guide explaining the key steps to become PCI DSS Compliant with your AWS-based service(s)

How to achieve PCI DSS Compliance for AWS

PCI compliance is a requirement that organization that handles payment card data should comply with. The growth in technology has brought about information security risks. These risks arise from the fact that organizations store a lot of customer information that may be misused or accessed by malicious parties. The responsibility of protecting customer payment card information lies in the organization. PCI compliance is a framework that stipulates requirements that organizations should implement to ensure that their data is stored securely. Merchants who sell their products through Amazon are covered under this compliance.

What is PCI DSS Compliance?

As Wikipedia says, PCI DSS stands for Payment Card Industry Data Security Standards. It is the compliance that is dedicated to ensuring that cardholder information is stored appropriately and securely. The compliance of PCI regulations is overseen by the PCI Security Standard Council (PCI SSC). The council includes companies like MasterCard and VISA who are card service providers. The council came up with a 100-page document that covers the PCI compliance in detail. The document is complicated for small businesses to understand the requirements they need to meet. For this reason, small business owners may opt to find service providers to assist them to meet the PCI compliance standards.

PCI DSS clearly explains how cardholder data should be protected by implementing several strategies like having a secure network with strong firewalls, encryption of data before transmission, implementing access controls, having risk management programs and constant monitoring and evaluation of the networks.

Who is a Designated Entity?

A designated entity is a third party that a merchant hires to handle cardholder data security as well as ensure the company meets PCI DSS requirements. The organization is responsible for vetting the designated entity vigorously before the contract them. Vetting includes checking the entity’s credentials and track record. PCI DSS also mentions the risks associated with contracting a designated entity in relation to breaches of contract, the stored data, and other arising risks.

Amazon Web Services and PCI DSS

Amazon Web Services (AWS) is a cloud service provider (CPS). AWS is not required to be PCI compliant. However, there was a suggestion that AWS should start adopting PCI standards to prevent, detect and counter cyber attacks. Despite the fact that AWS is a secure cloud option, an organization should ensure they are compliant to prevent any vulnerability. AWS is not included in entities for PCI compliance because it has an inbuilt Virtual Private Cloud (VPC). VPC creates a private network for the merchant to store information in. This private network has segmented levels and access controls.

Basically, the information is stored in tiered levels. This reduces the risks related to stored cardholder data. The information is stored according to the sensitivity of data.  The first level may include the transaction and date. The second level can include the name and address plus level one clearance. The third level may include the complete cardholder information. Segmentation keeps the most sensitive data in the most secure place in an IT environment.

VPC uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect cardholder information. In layman language, the browser of your users will request and verify your website certificate before the user can access the website. The two-computer communicated by sending encrypted data from one end to the other.  This is called a TLC handshake. When a browser cannot verify a website certificate, it gives a warning of an unsecured connection.

What is Elastic Load Balancing (ELB) and its purpose?

The process of verifying websites involves a mountain of data that may slow down the browsers. Internet users have a low patience and a slow transmission can lead to the loss in sales for business owners. ELB helps to mitigate this problem. ELB works faster splitting a task and by allocating the tasks to different servers. This reduces the overall time spent during the transmissions. In actuality, one task that used to be handled by one server can be allocated to five servers. This means the transmission will take five times less the amount one server would take transmitting. In general, having multiple servers working on the same request greatly reduces the information transition timelines.

AWS incorporate VPC and ELB to improve information transmission times while protecting cardholder information by transmitting using a secure private network.  AWS has a designated entity that offers audit services and certifies AWS compliance with PCI DSS. AWS offers PCI compliant services.  AWS has customizable features that allow you to build personalized services, create a cloud-based environment and even create a virtual version of your computer.


If you're looking for a platform that can assist you to monitor and evaluate your PCI compliance and manage current and potential vulnerabilities, you can try ZenGRC from Reciprocity: an easy-to-use, enterprise-grade information security solution for compliance, risk management, business control tracking, testing, and enforcement. The platform is fully compatible with AWS and can assist your organization to stay PCI compliant when using AWS. [Disclaimer: I'm working for that company].

Here's a presentation video explaining its most distinctive features:


About Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at

View all posts by Ken Lynch

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.