Amazon confirms EC2/S3 does not meet PCI guidelines


If your business requires PCI compliant hosting services because you store, transmit or process cardholder data, hosting in the cloud may not be for you.  Most cloud providers do not have the controls or processes in place to protect sensitive cardholder data or the willingness to enter into required business arrangements with merchants.  Because of this, it is impossible to meet several requirements found in current PCI standards, leaving your business at risk for heavy fines by not being compliant.

One such example would be Amazon EC2.  In a recent discussion at amazonwebservices.com forum and slashdot.org users were discussing a desire to move to Amazon EC2 and maintain PCI compliance.  While not surprising, at least there was a concrete answer to were Amazon stands with regards to its role in its customer’s compliance.  In an email from Taimur Rashid, an account manager at Amazon Web Services, he states “We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.”

PCI requires all merchants maintain a written agreement between the merchant and service provider that outlines responsibility for cardholder data.  “Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Without this simple agreement, you cannot be compliant.

In addition to not allowing a written agreement, Amazon also will not allow on site audits required for Level 1 and now Level 2 merchants.  Cindy S from Amazon Web Services states “If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.”

Based on the 2 statements above, Amazon EC2/S3 is currently not capable of providing the level of service required for PCI compliance on any level.  If you are a merchant and require PCI compliance, avoid the cloud and find a reputable service provider which specializes in PCI compliance such as GSI, Rackspace or ZZ Servers.

2 Responses to “Amazon confirms EC2/S3 does not meet PCI guidelines”

  1. Andy

    It is surprising how much publicity gets the negative news. I think we should respect the Amazon’s honesty when it comes to security compliance of their cloud platform.