Amazon announced today that they have PCI compliance certification for the entire AWS stack: EC2, S3, EBS, and VPC. This is huge. Almost every startup these days uses some cloud hosting provider, and until now, it's been literally impossible to be PCI compliant in the cloud.
To be PCI compliant, the website owner needs to be able to provide physical access to the servers in the event of a credit card breach. If you're running in the cloud, you can't provide physical access to an auditor, since you have no way of gaining physical access yourself.
The merchant account providers don't know the first thing about hosting, and they don't really care. And no startup I know has moved to bare metal and hired a sysadmin just to follow the letter of the standard. Startups have better things to do than subject themselves to an audit by Trustwave or some other QSA that certifies PCI compliance. (See, you thought you were PCI compliant, but you're not.) But if some companies now magically have PCI compliant clouds, then they have every incentive to rat on their competitors who aren't to Visa/Mastercard, effectively shutting down their ability to process credit cards.
Given that this is a rather large deal, I've asked Amazon PR to send me a copy of the QSA report. Just to prove to yourself that this is a big deal, look at the list of PCI compliant providers: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf (PDF link) Amazon is like that Sesame Street song: one of these things is not like the others.
One of things I want to figure out is if Engine Yard's EC2 instances are de facto included in the PCI compliance report, or if only customers contracting directly with Amazon are covered. Hopefully, the QSA report answers this, but if not, I'll try to run this down with Amazon and Engine Yard.
Upshot: my best guess is that this raises the table stakes for every other cloud provider out there, and if you're in a competitive market and you're not on AWS, your competitors can attempt to report you for PCI violations. You should ask your cloud provider when they'll provide PCI compliance, and if they can't give you a roadmap, you should investigate moving to Amazon.
Posted over 2 years ago