RCP Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.

The Schwartz
Cloud Report

Blog archive

Amazon Achieves PCI Compliance

Amazon Web Services (AWS) seems to be getting its house in order when it comes to compliance certifications. The company said last week it has achieved Level 1 compliance with the Payment Card Industry, or PCI, Data Security Standard.

PCI is the standard for storing, processing and transmitting credit card data. AWS lack of PCI compliance was a key barrier to those companies looking to use the cloud provider's service to handle transactions.

"Merchants and services providers with a need to certify against PCI DSS and to maintain their own certification can now leverage the benefits of the AWS cloud and even simplify their own PCI compliance efforts by relying on AWS's status as a validated service provider," said AWS lead Web services evangelist Jeff Barr, in a blog post.

The PCI validation covers its core cloud offerings used by merchants, notably Amazon Elastic Compute Cloud (EC2), the Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and the Amazon Virtual Private Cloud (VPC), Barr noted.

"This is big news, especially for small businesses that want to use EC2 and haven't because Amazon has not gone through PCI," said Douglas Barbin, director of assurance and compliance services at SAS 70 Solutions, a consultancy that specializes in auditing and compliance.

Large hosting providers such as Savvis, Rackspace and AT&T are already PCI-compliant as is Google's payment gateway, Barbin added.

The news comes just weeks after Amazon announced it has achieved ISO 27001 compliance, a standard based in 133 security process controls such as physical plant security, operational policies and how malicious code is handled, to name a few.

Earlier in the year, Amazon received its SAS 70 certification but was criticized for lacking ISO 27001 certification, Barbin said. That's because SAS 70 allows the provider to determine their own controls, while ISO 27001 is based on standard controls. "They got a lot of flack because they wouldn't disclose what those controls were," Barbin said. "This is an important milestone for Amazon."

Posted by Jeffrey Schwartz on December 14, 2010 at 11:58 AM


comments powered by Disqus