For the list of AWS services that are PCI DSS compliant, see the PCI tab on the AWS Services in Scope by Compliance Program webpage. For more information about using these services, contact us .

As a customer who uses AWS services to store, process, or transmit cardholder data, you can rely on AWS technology infrastructure as you manage your own PCI DSS compliance certification.

AWS does not directly store, transmit, or process any customer cardholder data (CHD). However, you may create your own cardholder data environment (CDE) that can store, transmit, or process cardholder data using AWS services.

Even if you are a non-PCI DSS customer, our PCI DSS compliance demonstrates our commitment to information security at every level. Because the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices.

Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. However, for the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing.

For detailed information please see "AWS PCI DSS Responsibility Summary" from the AWS PCI DSS Compliance Package, available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console , or learn more at Getting Started with AWS Artifact . Customers can also request audit and compliance advisory services from the AWS Security Assurance Services team.

The AWS PCI Compliance Package is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console , or learn more at Getting Started with AWS Artifact .

The AWS PCI Compliance Package includes:

No. The AWS Attestation of Compliance (AOC) demonstrates an extensive assessment of physical security controls of AWS data centers. It is not necessary for a merchant’s QSA to verify the security of the AWS data centers.

AWS is not considered a "Shared Hosting Provider" under PCI-DSS. As such, DSS requirement A1.4 is not applicable. Under our Shared Responsibility Model , we enable our customers to perform digital forensics investigations in their own AWS environments without requiring additional assistance from AWS. This enablement is provided through the use of both AWS services and third-party solutions available via AWS Marketplace. For more information, see the following resources:

As long as you are using AWS services that are PCI DSS compliant, the entire infrastructure that supports in-scope services is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI DSS compliant environment, globally. For the list of AWS services that are PCI DSS compliant, see the PCI tab on the AWS Services in Scope by Compliance Program webpage.

Yes. Please refer to the latest PCI DSS AOC in AWS Artifact to get the full list of locations that are compliant.

Yes. You can download the PCI DSS standard from the PCI Security Standards Council Document Library .

Yes, numerous AWS customers have successfully deployed and certified part or all of their cardholder environments on AWS. AWS does not disclose the customers who have achieved PCI DSS certification, but does regularly work with customers and their PCI DSS assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.

There are two primary approaches that companies take to validate their PCI DSS compliance on an annual basis. The first approach is to have an external Qualified Security Assessor (QSA) assess your applicable environment and then create a Report on Compliance (ROC) and Attestation of Compliance (AOC); this approach is most common for entities that handle large volumes of transactions. The second approach is to perform a Self-Assessment Questionnaire (SAQ); this approach is most common for entities that handle smaller volumes of transaction.

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Below is a high-level overview of the PCI DSS requirements.

1. Install and Maintain Network Security Controls.

2. Apply Secure Configurations to All System Components.

3. Protect Stored Account Data.

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

5. Protect All Systems and Networks from Malicious Software.

6. Develop and Maintain Secure Systems and Software.

7. Restrict Access to System Components and Cardholder Data by Business Need to Know.

8. Identify Users and Authenticate Access to System Components.

9. Restrict Physical Access to Cardholder Data.

10. Log and Monitor All Access to System Components and Cardholder Data.

11. Test Security of Systems and Networks Regularly

12. Support Information Security with Organizational Policies and Programs.