Amazon Confirms EC2/S3 Not PCI Level 1 Compliant 157
Jason writes "After months of digging though speculation and polar opposite opinions from PCI experts, I finally sent a direct request to Amazon's AWS sales team asking if they are in fact PCI compliant and will provide documentation attesting that they are as is required by PCI guidlines. I fully expecting them to dodge the question and refer me to a QSA, but to my relief, they replied with a refreshingly honest and absolute confirmation that it is currently impossible to meet PCI level 1 compliance using AWS services for card data storage. They also very strong suggest that cardnumbers never be stored on EC2 or S3 as those services are inherently noncompliant. For now at least, the official verdict is if you need to process credit cards, the Amazon cloud platform is off the table."
Farm it out. (Score:5, Interesting)
Why would you jump through the hoops of processing credit card data yourself, instead of getting one of the many - including, as another poster pointed out, Amazon - credit card processing sites to do it for you?
Don't laugh, we had to install AV on Linux (Score:3, Interesting)
Before 1.2 there was an explicit dispensation for Unix machines. Not anymore; although it reads to me that it's not needed, the auditor disagreed. So we had to install a token ClamAV on each machine, and have it scan the disks for ... mostly Windows viruses, since the database contains thousands of them, along with a dozen Linux viruses, none of which was ever seen in the wild.
Re:Amazon payments (Score:3, Interesting)
Calling a remote API is also non compliant as you are not allowed to store or "transact" in PAN card data.
You have to send the customer to the payment site.
Re:Sure, and a PCI audit costs nothing, right? (Score:3, Interesting)
And, sadly, cutting and pasting a Euro symbol into Slashdot doesn't work.