AUTHOR: http://aws.typepad.com/aws/2010/12/aws-achieves-pci-dss-20-validated-service-provider-status.html LINK!

Recent AWS Customer Success Stories & Videos

More AWS Customer Success Stories...

« Amazon Route 53 - The AWS Domain Name Service | Main | New AWS SDKs for Mobile Development (Android and iOS) »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c534853ef0147e044b02a970b

Listed below are links to weblogs that reference AWS Achieves PCI DSS 2.0 Validated Service Provider Status:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

@derik66

A couple of questions:

Who was the QSA?

Is S3 now encrypted?

Is storage over written after deletion or is the mapping changed and then new data over writes it?

Does this mean an on-site visit to AWS is permitted when an EC2/S3 customers has to be audited for PCI violations?

What exactly are the services you got PCI compliance? hosting? or other (which shows checked on the list)?

Can you provide more details on how hosting was extended to cloud and multi-tenant was rationalized with the QSA?

EdouardPoor

Fantastic Jeff - this goes some way to solving one of the last problems with cloud based computing for application and service developers.

I remember going to a seminar by Mike Culver a few years ago that introduced me to AWS and specifically S3 and EC2 (which was mostly what AWS was back then), and thinking how it would be a reliable, cost effective, and scalable system to use for the project I was involved with at the time, a promo music delivery system aimed at DJs (on one side) and the big music companies (like Universal Music Group, our first target, on the other side).

The problem with utilising AWS as our server infrastructure was not technical, but rather it was an issues of perception within companies like UMG. In the contracts we ended up signing with them, they wanted specific information about the physical location (street address, floor, and even the security layout of the server rooms) where their content would be held and delivered by our service. The notion that it was "in the cloud" was simply not something they could grasp, and was certainly not an idea that their legal departments could imagine entertaining.

The more you and the team at AWS can address this problem, the more easily independent software and service development businesses like ours can create and sell cloud applications to both big and small businesses (although its usually the biggest businesses and their lawyers that are the most difficult to convince).

I truly believe that focusing on this segment of developers, and continuing to find ways to enable them to on-sell trust in Amazons security infrastructure will help drive AWS growth. Keep up the promising work in this area.

Jinesh

Most of these are answered in our PCI FAQs in our Security Center http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

Jinesh

NetNinja

http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

The QSA was IOActive, Inc.
http://www.ioactive.com/

This is not a secret so why wasn't it put in the article?

I have been through 2 PCI audits. I would love to be a fly on the wall and read through your ROC.

I assume Amazons core credit card services can be segmented from thier other networks. I don't think it was too hard for them to get thier PCI compliance. As long as thier other systems don't touch thier CreditCard servers or wherever they store thier credit card data then a QSA can consider other systems not in scope.


Aaron

Is the Elastic Load Balancing functionality included in the scope of EC2 as far as compliance goes? Our ASV dings us because the Elastic Load Balancing apparently allows SSLv2.

Doug

It would be great if you could publish a copy of the Level 1 Certificate of Compliance on your website / FAQs as banks and others who will be assessing our application will want to see your certificate as proof that our application is layered on a certified platform. Visa does not always publish every service provider on their list, and Amazon AWS is still not on the most recent list.

The comments to this entry are closed.

Featured Events

The AWS Report


Brought to You By

Jeff Barr (@jeffbarr):



Jinesh Varia (@jinman):


Email Subscription

Enter your email address:

Delivered by FeedBurner

April 2014

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30