Ensure that all AWS services and resources used by your e-commerce applications running within your AWS account are PCI DSS compliant in order to maintain a secure environment for storing, processing and transmitting credit card information. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by PCI Security Standards Council, an organization originally formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers and service providers. The PCI DSS is authorized by the card brands and administered by the Payment Card Industry Security Standards Council. As a customer who uses AWS products and services to store, process or transmit cardholder data, you can rely on AWS cloud infrastructure as you manage your own PCI DSS compliance certification. Amazon Web Services does not directly store, transmit or process any customer cardholder data (CHD) but you can create your own cardholder data environment (CDE) that can store, transmit or process cardholder data using AWS products. And since security and compliance is a shared responsibility between AWS and its customers, they should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their application environment, and applicable laws and regulations. Therefore, you can obtain PCI DSS compliance for your e-commerce websites and applications using only PCI DSS-eligible AWS services and resources.
Amazon Web Services is certified as a PCI DSS 3.2 Level 1 Service Provider. The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers by using Amazon Artifact, a self-service portal for on-demand access to AWS compliance reports such as Payment Card Industry (PCI) and Service Organization Control (SOC) reports. That being said, AWS provides the necessary protections to satisfy the PCI DSS security requirements, so that you can use PCI-compliant cloud services and resources to build e-commerce websites and applications that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD). However, not all AWS components are PCI DSS-eligible, so using services and resources that fail to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) regulations can lead to damaging financial and reputational effects, legal actions or even to fines between $5,000 to $100,000 per month for violating PCI DSS security rules.