ALL RESOURCES
Compliance frameworks
AWS PCI compliance: What you should know

AWS PCI compliance: What you should know

Everyone from technology insiders to those with minimal technical skills has heard of “the cloud,” and most have heard of Amazon Web Services or AWS too. Did you know AWS can have a significant hand in your journey toward achieving and maintaining PCI compliance? Let’s take a closer look at how your cloud provider can impact your PCI DSS needs.

How does using AWS affect your PCI compliance?

More and more companies in eCommerce and other businesses that process payments are building their networks on the cloud (with AWS or another cloud provider) as opposed to building them with physical servers.


PCI compliance is all about protecting your customers’ payment data, and there are different ways to secure that data in cloud-based networks compared to physical networks. For example, a physical network may warrant more safeguards against accessing your services like door locks and ID cards, while cloud-based networks need more protections against cyber attacks.


Whether you are transitioning your technology onto AWS or you’ve been using AWS from the start of your network’s development, the cloud provider can be a valuable asset in your PCI compliance.

How AWS can help your PCI compliance

AWS aims to make the process easier for you. If you host your network on AWS, Amazon has a variety of tools you can use to assess your compliance, identify security gaps, and create a plan to become compliant.

AWS PCI tools to help your compliance strategy

In making your network on AWS PCI DSS compliant, it’s important to have a plan to not only close security gaps you have today but also detect and close future security gaps. One way to make this simpler is by using the tools AWS has available. While several of these tools do have added costs, they may be able to save you enough time and hassle that they are worth the cost.

Amazon GuardDuty

Amazon GuardDuty is an AWS tool that continuously monitors your AWS account. It looks for signs of potential breaches and malicious activity. GuardDuty can help you to safeguard your cloud-based network to protect your customers’ payment data, which is a key component of PCI compliance.

Amazon Inspector

Amazon Inspector is a more direct Amazon cloud PCI tool that the company created to help with compliance. This automated program scans your security configuration to check for continued security compliance and identify any ways in which you may not be compliant. This is an effective way to make sure that any changes you make to your network don’t compromise your data safety or your PCI compliance.

AWS Artifact

Amazon GuardDuty and Amazon Inspector are both paid services you can add to your AWS account. AWS Artifact, on the other hand, is a free service that helps you manage these tools and other reports.


Specifically, AWS Artifact is a portal that tracks your AWS SOC and PCI reports, including reports on access controls, PCI compliance, and potential gaps in security. It is a way to make your other PCI DSS AWS services more manageable and keep all your essential reports in one place.

Architecture guides

While the previous three tools are automated programs, AWS also offers guides that are designed to educate you rather than monitor your security for you. They provide an AWS PCI compliance workbook, developed in conjunction with a PCI compliance auditor, to help you design your AWS network in a secure and compliant way.


In addition to an AWS PCI compliance checklist, this workbook includes details about sample network architectures that have been designed within AWS to be secure and PCI compliant. You can use those sample architectures as guides while building your own network.

How do you know you can trust the AWS PCI compliant services?

PCI compliance is critical for your business. How do you know that AWS’s tools are sophisticated and accurate enough for you to rely on?


First, AWS is highly knowledgeable about the PCI compliance process. The company is a PCI DSS level one service provider. This means that they have gone through extensive onsite auditing, and continue to go through this auditing process each year, to verify that they are PCI compliant. AWS’s compliance documentation and the AWS PCI AoC, or Attestation of Compliance, are all available for anyone to review.


Second, no one knows AWS’s platform (and how to secure a network on their platform) better than AWS themselves. Their mastery of both the platform and the PCI compliance requirements makes them an established authority whose knowledge can be valuable as you pursue and maintain your own PCI compliance.

Using a toolbox of aids to make your Amazon PCI DSS compliance smoother

While the AWS PCI DSS compliant services like GuardDuty and Inspector can be great assets in your journey toward PCI compliance, they aren’t your only options. In fact, the smoothest compliance process usually comes from using a toolbox of different tools together.


AWS tools pair well with Vanta’s PCI compliance tool to evaluate your network with the PCI DSS in mind and provide you with a detailed report about what steps you need to take to secure your data.

More about PCI

Automate your PCI compliance

Guide to PCI compliance cost

PCI compliance in 3 steps

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.

1
2
3
4
!
👍

Does your business offer services to customers who are interested in your level of PCI compliance?

Yes
No

Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:

SAQ A

A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified

SAQ A-EP

A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

SAQ D
for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

ROC
Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference

Questions?

Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.