PCI Compliance In The Cloud: This Changes Everything

Amazon announced today that they have PCI compliance certification for the entire AWS stack: EC2, S3, EBS, and VPC.  This is huge.  Almost every startup these days uses some cloud hosting provider, and until now, it's been literally impossible to be PCI compliant in the cloud.

To be PCI compliant, the website owner needs to be able to provide physical access to the servers in the event of a credit card breach.  If you're running in the cloud, you can't provide physical access to an auditor, since you have no way of gaining physical access yourself.

The merchant account providers don't know the first thing about hosting, and they don't really care.  And no startup I know has moved to bare metal and hired a sysadmin just to follow the letter of the standard.  Startups have better things to do than subject themselves to an audit by Trustwave or some other QSA that certifies PCI compliance.  (See, you thought you were PCI compliant, but you're not.)  But if some companies now magically have PCI compliant clouds, then they have every incentive to rat on their competitors who aren't to Visa/Mastercard, effectively shutting down their ability to process credit cards.

Given that this is a rather large deal, I've asked Amazon PR to send me a copy of the QSA report.  Just to prove to yourself that this is a big deal, look at the list of PCI compliant providers: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf (PDF link)  Amazon is like that Sesame Street song: one of these things is not like the others.

One of things I want to figure out is if Engine Yard's EC2 instances are de facto included in the PCI compliance report, or if only customers contracting directly with Amazon are covered.  Hopefully, the QSA report answers this, but if not, I'll try to run this down with Amazon and Engine Yard.

Upshot: my best guess is that this raises the table stakes for every other cloud provider out there, and if you're in a competitive market and you're not on AWS, your competitors can attempt to report you for PCI violations.  You should ask your cloud provider when they'll provide PCI compliance, and if they can't give you a roadmap, you should investigate moving to Amazon.  
6 responses
This content provided me a lot of understanding on freelancing. My organization is on the edge on freelancing the tasks to other nations. I think this now has given me a lot to think about . Excellent perform . Digital Marketing Agency
Nice way of providing information. Thank You Search engine marketing bangalore
An unbelievably thorough reader might be able to converge by systematically sorting out the contradictions, misunderstandings, misapprehensions and inaccuracies voiced and then connecting the dots... But it might be easier to take a glance at the bytes that have have already flowed under this bridge. Aw, man, wow, PCI Compliance In The Cloud: This Changes Everything! Wow! It is almost absurd reading all these posts, from commentators that have absolutely no notion of the internal structure of law student resume . But having gone through a one way door, there may be no turning back.
Are you looking for thew best Privae Label Vitamins Manufacturer ? Intermountain is here to help you in manufacturing the best vitamins.
2 visitors upvoted this post.