AWS Expands PCI DSS Scope, Affecting Compliance Teams
Amazon Web Services has expanded the scope of its PCI DSS compliance, adding more services and regions. While this enables customers to build compliant applications with more tools, it also increases the operational burden for platform and SRE teams. These teams now face the challenge of generating and managing a larger volume of compliance evidence.
- Recent additions to the AWS PCI DSS scope include services like Amazon DataZone, Amazon DevOps Guru, AWS Security Incident Response, and AWS Transform, a service that uses AI to help modernize legacy systems. - AWS operates under a shared responsibility model for compliance; while it secures the underlying cloud infrastructure, the customer is responsible for configuring services securely, managing access, and protecting their data in the cloud to meet PCI requirements. - The financial penalties for PCI DSS non-compliance, issued by payment card networks via acquiring banks, can range from $5,000 to $100,000 per month, with breach-related costs potentially reaching over $500,000 per incident. - AWS is certified as a PCI DSS Level 1 Service Provider, the highest and most stringent level of assessment available. This compliance is validated semi-annually by an independent Qualified Security Assessor (QSA). - To help automate compliance, AWS has begun offering its PCI DSS report package in OSCAL, a machine-readable JSON format, allowing customers to move away from manual review of PDFs and speed up evidence gathering. - This expansion is occurring as the industry transitions to the more stringent PCI DSS v4.0 standard, for which the previous version (v3.2.1) was retired on March 31, 2024.
