CONTACT
  • SERVICES
  • INDUSTRIES
  • WORK
  • COMPANY
  • BLOG
  • CONTACT
  • SERVICES
  • INDUSTRIES
  • WORK
  • COMPANY
  • BLOG
  • CONTACT
  • Services Overview
    Web Development
    Android Development
    iOS Development
    AI Development
  • VR/AR Development
    3D Art Unity
    UI/UX Design
    ﹂UX Audit
    ﹂Branding Design
    ﹂Motion Design
    ﹂Crossplatform Design and Development
    ﹂Webflow Design
    ﹂Digital Product Design
    DevOps Services
    QA Services
  • Dedicated Team
    Dedicated Team Calculator
    Salesforce Development
    Discovery Phase
  • Industries Overview
    Healthcare Software Development
    Travel Software Development
  • Online Scheduling and Booking
    eLearning
    LMS
  • Fitness App Development
    Fintech
  • Case Studies
  • Design Portfolio
  • Testimonials
  • Onix Story
    Referral Program
  • Careers
  • About Ukraine
  • Healthcare
    AI
  • Travel
    eCommerce
  • Sports & Fitness
    VR/AR
  1. Onix
  2. Blog
  3. Technologies
  4. Technology Comparisons
  5. How to Bring Your AWS Infrastructure into PCI DSS Compliance
Background

Technology Comparisons

How to Bring Your AWS Infrastructure into PCI DSS Compliance

executor photo

Denis Sheremetov

CTO at Onix

Anastasiia Diachenko

Anastasiia Diachenko

Writer

Jun 06,2025

13 min read

1185 views

Share

AWS PCI Compliance

If your business handles credit or debit card payments, ensuring the safety of customers’ payment data is mission-critical. Meeting the Payment Card Industry Data Security Standard (PCI DSS) is not only a best practice—it’s often a contractual and legal requirement.

Table of contents
  • What is PCI DSS, and Why Do You Need It?

  • PCI DSS Core Requirements

  • Determining Your PCI DSS Level and Self-Assessment Questionnaire (SAQ)

  • Are AWS Services PCI DSS-Compliant?

  • Step-by-Step AWS Setup for PCI DSS Compliance

  • Amazon Inspector for Vulnerability Management

  • Additional Onix Recommendations for a Successful PCI DSS Journey

  • PCI-Compliant AWS Architecture: Example

  • Conclusion

  • FAQ

In this guide, Onix shares a detailed roadmap of what PCI DSS entails, why it’s vital, and how to align your AWS infrastructure accordingly. We’ll discuss key AWS services that can streamline and automate your compliance journey, drawing upon extensive real-world experience.

How Onix moved the complex application from Heroku to AWS

Discover how Onix smoothly migrated a complex app from Heroku to AWS, boosting capacity and flexibility at minimal cost

view the project
iconImg

 

What is PCI DSS, and Why Do You Need It?

PCI DSS stands for Payment Card Industry Data Security Standard, a set of guidelines managed by the PCI Security Standards Council (PCI SSC).

 

These guidelines aim to safeguard cardholder data throughout the transaction lifecycle—from when the customer enters payment information to the secure storage of these details for future reference (when permitted).

 

The standard’s primary objectives include:

 

  1. Protecting cardholder data – ensuring robust encryption and data handling best practices.
  2. Maintaining a secure network – implementing firewalls, intrusion detection, and intrusion prevention systems.
  3. Regularly monitoring and testing networks – quarterly vulnerability scans, periodic penetration tests, and continuous security assessments.
  4. Maintaining an information security policy – setting clear protocols and procedures for managing, storing, and disposing of sensitive data.

 

Why it matters: Complying with PCI DSS fosters customer trust, protects your brand reputation, and prevents costly data breaches or fines. Non-compliance can lead to significant financial penalties, legal consequences, and damage to your company’s public image.

 

PCI DSS Core Requirements

AWS PCI Compliance

 

There are 12 core requirements that organizations must meet to achieve PCI DSS compliance, grouped into six overarching goals:

 

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy


Each requirement contains several sub-requirements, focusing on everything from firewall configuration to physical security measures. AWS covers many physical and environmental controls for you, but as the AWS customer, you remain responsible for properly configuring and maintaining the logical and application layers.

 

Determining Your PCI DSS Level and Self-Assessment Questionnaire (SAQ)

PCI DSS categorizes organizations by how many card transactions they process annually.

 

This classification determines the complexity and depth of audits you must undergo:

 

PCI LevelAnnual Transaction VolumeKey Requirements
1Over 6 million transactions per year<ul><li>Annual QSA Audit (AOC)</li><li>Quarterly ASV Scans</li><li>Annual Penetration Testing</li></ul>
21 million to 6 million transactions per year<ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li><li>Annual Penetration Testing</li></ul>
320,000 to 1 million transactions per year<ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li></ul>
4Fewer than 20,000 transactions per year<ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li></ul>



Note: While Levels 1 and 2 require more rigorous testing, all levels must complete quarterly vulnerability scans. Level 1 merchants must also undergo an external audit conducted by a Qualified Security Assessor (QSA) to receive the Attestation of Compliance (AOC).

get in touch with Onix

Look for a professional team to implement a cloud migration strategy for your product?

contact us now
iconImg

 

Choosing the Right Self-Assessment Questionnaire (SAQ)

The SAQ you must complete depends on your business model and how (or if) you store cardholder data. The difficulty escalates from SAQ A (fully outsourced payment processing, no storage of card data) to SAQ D (applies if you store, process, or transmit cardholder data internally).

 

SAQ TypeDescription
AMerchants with fully outsourced card data functions (e.g., e-commerce using a third-party payment processor). No internal storage or processing of cardholder data.
A-EP
E-commerce merchants that outsource all payment processing but have a website can impact the security of transactions.
BMerchants using only imprint machines or standalone, dial-out terminals, no electronic cardholder data storage.
B-IPMerchants using only standalone, PTS-approved IP-connected terminals, with no electronic cardholder data storage.
C-VTMerchants manually enter a single transaction at a time via an internet-based virtual terminal solution (no storage).
CMerchants with internet-connected payment application systems, no electronic storage of cardholder data.
P2PE-HWMerchants using only hardware payment terminals with a validated P2PE solution; no electronic cardholder data storage.
DFor all other scenarios, including service providers and merchants storing, processing, or transmitting data in various ways.

 

Are AWS Services PCI DSS-Compliant?

AWS holds a PCI DSS Level 1 Service Provider certification, the highest level available. By default, this means:

 

  • Physical Security at AWS data centers (surveillance, guards, restricted access, etc.) meets PCI DSS standards.
  • Managed Services like Amazon RDS, Amazon S3, AWS Lambda, and more have baseline compliance measures in place.

 

Shared Responsibility Model

However, compliance in the cloud follows a Shared Responsibility Model:

 

  • AWS handles security OF the cloud (physical servers, data centers, network infrastructure).
  • You, the customer, are responsible for security IN the cloud—your applications, operating systems, IAM policies, encryption, network configurations, and so on.


Successfully achieving PCI DSS compliance in AWS requires diligent attention to how you configure and manage your resources. You must ensure that your specific usage of AWS meets PCI DSS requirements for data protection, access control, and security monitoring.

 

Step-by-Step AWS Setup for PCI DSS Compliance

 

Step #1: Conduct Quarterly Network Scans with an Approved Scanning Vendor

A key requirement for all PCI DSS levels is performing quarterly vulnerability scans through an Approved Scanning Vendor (ASV):

 

1. Identify All In-Scope Assets
Make sure you include every domain, subdomain, IP address, and AWS resource that handles or could impact cardholder data.


2. Schedule Regular Scans
Conduct these scans at least every quarter or after any significant network changes (e.g., new public endpoints, major configuration updates).


3. Review and Remediate
Address issues flagged by the ASV, such as open ports (e.g., SSH on port 22 exposed to the public), weak SSL/TLS configurations, or HTTP endpoints that need redirection to HTTPS.


Example of Common Findings from ASV Scans:

 

FindingPotential ImpactRemediation Step
Open SSH Port (22)Unauthorized server accessRestrict to known IPs or VPC-based access; use bastion hosts.
Weak SSL/TLS Version (e.g., TLS 1.0)Susceptible to SSL exploitsDisable old TLS/SSL in ALBs/ELBs, enforce TLS 1.2 or higher.
HTTP Traffic AllowedSensitive data could be interceptedEnforce HTTPS redirection via ALB or CloudFront.

 

Pro tip: Some scanning solutions integrate with AWS APIs, making it easier to continuously discover new resources. For instance, SecurityMetrics or Qualys can be configured to scan automatically when new endpoints appear.

 

Step #2: Enable AWS Config to Track Configuration Changes

AWS Config is essential for logging every configuration change in your AWS environment. PCI DSS auditors may ask for proof of how your infrastructure changed over time—who modified security group rules, when a new IAM role was added, etc.

 

1. Scope

  • All Resource Types: For most organizations, selecting “All resource types with customizable overrides” ensures full visibility.
  • Targeted Resource Types: If you have an advanced setup, you can selectively monitor only certain resource types.


2. Recording Frequency

  • Continuous Recording: More real-time, higher cost, but offers immediate insights into any drift from desired configurations.
  • Daily Recording: Cost-effective but delays updates to the next day.


3. Service-Linked Roles and S3 Bucket

  • Let AWS Config automatically create the required IAM role and S3 bucket to store your configuration history and snapshots.


AWS Config helps you meet multiple PCI DSS controls (for example, Requirements 1, 2, 5, 6, 10, 11) by maintaining a historical record of your system’s configuration states.

 

Step #3: Use AWS Security Hub for PCI DSS Checks

AWS Security Hub serves as a centralized console, pulling in data from various AWS security services—AWS Config, Amazon Inspector, Amazon Macie, and more—and mapping them against security frameworks, including PCI DSS.

 

Enabling PCI DSS Standards

In Security Hub, you can enable the PCI DSS standard. Security Hub then evaluates your resources against specific PCI DSS controls, assigning a Common Vulnerability Scoring System (CVSS) severity level. Examples:

 

  • Publicly Accessible S3 Buckets: High-severity finding if it stores or might store cardholder data.
  • Unencrypted RDS Instances: Medium-to-high severity depending on the type of data processed.
  • Exposed EC2 Instances: Instances with open ports that could allow unauthorized access are flagged.


Reviewing Findings and Best Practices

Each identified issue comes with a recommended remediation path (e.g., enabling encryption in transit, restricting port access). AWS Security Hub works hand in hand with AWS Config to provide compliance statuses:

 

PCI DSS Control

Security Hub Finding

Recommended Action

Req 3: Protect stored cardholder data“EBS volume unencrypted” or “S3 bucket unencrypted”Encrypt volumes and buckets with AWS KMS keys
Req 1: Install/maintain firewall config to protect data“Security group allows inbound traffic on 0.0.0.0/0”Restrict inbound to known IP addresses or VPC ranges
Req 8: Assign a unique ID to each person with access“IAM user with no MFA” or “User with static credentials”Enforce MFA, rotate credentials, apply least-privilege IAM



Pro tip: Treat every finding as part of a continuous improvement cycle—fix, verify, and re-scan. Even small weaknesses can be exploited by advanced threat actors.

 

Amazon Inspector for Vulnerability Management

While network-level security checks are crucial, application-level and container security remain equally vital. Amazon Inspector automatically scans:

 

  • EC2 Instances
  • AWS Lambda functions
  • Docker Images in Amazon ECR

 

How Amazon Inspector Works

1. Scanning for Known CVEs

Inspector searches for Common Vulnerabilities and Exposures (CVE) in software packages, operating systems, and frameworks.


2. Malware and Exploit Detection
It detects known malicious binaries, rootkits, or exploit code that can lead to privilege escalation or data exfiltration.


3. Prioritization with CVSS
Each finding gets a CVSS-based severity score (Low, Medium, High, Critical), helping security teams prioritize fixes.


Common Findings

 

Typical VulnerabilityImpactRemediation
Outdated OS Packages (e.g., older Linux distro with unpatched kernel)Exploits allowing privilege escalation, data exposureUpdate to latest OS patch versions regularly
Vulnerable Application Libraries (e.g., Log4j)Remote code executionUpdate library versions, track known CVEs diligently
Weak IAM Permissions for LambdaPotential lateral movement or privilege abuseRestrict roles and permissions, follow least privilege



Pro tip: Integrate Inspector findings into your CI/CD pipeline. For instance, a pipeline can fail a build if a critical vulnerability is detected, ensuring no insecure images or code reaches production.

 

Additional Onix Recommendations for a Successful PCI DSS Journey

 

Separate Environments

Production, Staging, and Testing should ideally run in separate AWS accounts. This isolation (via AWS Organizations) ensures that a compromise in one environment does not automatically jeopardize another.

 

Automate Security and Compliance in CI/CD

Embed security checks in every phase of software delivery. Best practices include:

 

  • Static Application Security Testing (SAST) to identify code vulnerabilities.
  • Dynamic Application Security Testing (DAST) to test running applications for real-time flaws.
  • Container Scanning in build pipelines to ensure Docker images remain up to date.


Enforce Key Rotation and Strong Credentials

Require multi-factor authentication (MFA) for all IAM users, and enforce regular rotation of access keys. This practice significantly lowers the odds of long-term unauthorized access.

 

Leverage Additional AWS Security Services

 

  • AWS WAF (Web Application Firewall): Protects web applications from common exploits like SQL injection, cross-site scripting, and more.
  • AWS Shield: A managed Distributed Denial of Service (DDoS) protection service, particularly useful for high-traffic e-commerce platforms.
  • Amazon Macie: Automates the discovery of sensitive data (like personal information) in your S3 buckets, helping you manage PII and reduce accidental exposure.


Logging and Monitoring

Implement robust logging at every level:

 

  • AWS CloudTrail for API activity.
  • Amazon VPC Flow Logs for network traffic analysis.
  • AWS Lambda logs in Amazon CloudWatch for serverless functions.


Retaining these logs is crucial for incident investigations and for meeting PCI DSS requirements around monitoring and logging (Requirement 10).

 

Keep Documentation Up-to-Date

PCI DSS audits can be demanding in terms of documentation. Maintain accurate network diagrams, firewall change records, incident response procedures, and security policies. Tools like AWS Systems Manager can automate some aspects of configuration documentation.

 

PCI-Compliant AWS Architecture: Example

Below is a high-level reference architecture for an e-commerce merchant aiming to meet PCI DSS requirements:

AWS is PCI DSS compliant

 

  • AWS WAF + CloudFront: Provides basic firewall protection and content delivery optimization.
  • ALB: Terminates TLS/SSL. Only secure connections (TLS 1.2 or higher) are allowed.
  • EC2 Instances and Private Subnets: Segregated network layers reduce potential lateral movement.
  • Amazon RDS: Encrypted at rest with AWS KMS. No direct public access—only accessible via private subnets.
  • VPC Flow Logs: Monitors all traffic within the VPC.
  • AWS Config & Security Hub: Continually monitors and evaluates resource configurations against PCI DSS controls.
  • Amazon Inspector: Scans instances and containers regularly for vulnerabilities.

 

Conclusion

Achieving and maintaining PCI DSS compliance in AWS is an ongoing process—never a “set it and forget it” endeavor.

 

By leveraging AWS Config, Security Hub, Amazon Inspector, and best practices around network segmentation, encryption, and access control, you can streamline the compliance effort and significantly enhance your security posture.

 

Still, the journey to compliance can be intricate. That’s where Onix steps in:

 

  • Over 20 years of expertise in delivering secure, scalable cloud solutions.
  • End-to-End Support—from architectural design and documentation to audits and certification.
  • Custom Solutions tailored to your unique business and technical requirements.


Ready to secure your AWS environment?


Contact Onix for a consultation, and let’s craft a robust, PCI DSS-compliant infrastructure that keeps your cardholder data secure and your business thriving. We look forward to guiding you on your path to compliance and helping you maintain the trust of customers worldwide.

dedicated development team of experts

Need a dedicated team for secure AWS development? Partner with Onix to build and maintain PCI DSS-compliant solutions with confidence

learn more
iconImg

 

FAQ

 

1. What is PCI DSS compliance, and why is it important for AWS infrastructure?

PCI DSS, or Payment Card Industry Data Security Standard, is a set of security standards designed to ensure all companies that process, store, or transmit credit card information maintain a secure environment.

 

For any business using AWS infrastructure to handle payment data, PCI DSS compliance is critical. It helps protect customer cardholder information, reduces the risk of data breaches, and ensures you meet industry regulations.

 

Achieving PCI DSS compliance within your AWS cloud environment demonstrates that your systems follow best practices for securing payment data and reinforces trust with your customers.

 

2. How does AWS support PCI DSS compliance for my cloud environment?

AWS is PCI DSS compliant at the infrastructure level, which means you’re already starting with a secure and validated cloud foundation. AWS provides a PCI Compliance Package with detailed documentation and responsibilities to help you understand what security controls AWS covers and what remains your responsibility.

 

Many AWS services are PCI DSS compliant by default, including Amazon EC2, S3, RDS, and Lambda, which allows you to build PCI-compliant applications using these tools. AWS also offers security services like AWS Config, CloudTrail, and AWS Shield that help you meet core principles of PCI DSS compliance within AWS.

 

3. How long does it take to achieve PCI DSS compliance on AWS?

The time it takes to achieve PCI DSS compliance on AWS depends on the complexity of your environment, your existing security posture, and how well your team understands compliance requirements.

 

For startups or small applications, it might take a few weeks to a couple of months. For larger, more complex systems, it could take several months.

 

The good news is that using PCI-compliant AWS services and leveraging AWS’s shared responsibility model can speed up the process significantly. If you follow best practices for setting up a secure AWS environment from day one, you'll be much closer to being PCI compliant.

 

4. How can I ensure ongoing PCI DSS compliance in my AWS environment?

Achieving PCI DSS compliance in AWS is just the beginning. Maintaining it requires regular monitoring, updates, and audits. You need to continuously manage access controls, monitor logs, apply security patches, and update configurations as your environment evolves.

 

Using AWS services like AWS Config Rules, CloudTrail, GuardDuty, and Security Hub helps you detect non-compliance and stay audit-ready. Regularly reviewing your cloud architecture and documenting your compliance efforts ensures your AWS-based application remains PCI compliant over time.

 

5. What happens if my AWS environment fails a PCI DSS audit?

Failing a PCI DSS audit in your AWS environment can lead to serious consequences, including penalties from card networks, loss of the ability to process payments, reputational damage, and potential legal issues.

 

If your audit uncovers gaps, you’ll need to address them immediately. This might involve tightening access policies, encrypting sensitive data, or reconfiguring your infrastructure.

 

AWS provides tools and documentation to help you correct these issues quickly. It’s important to take a proactive approach so that your AWS application remains PCI-DSS compliant and audit-ready at all times.

executor photo

Denis Sheremetov

CTO at Onix

Development of custom solutions for all sizes of businesses. Ensuring efficient and secure technology use.

Anastasiia Diachenko

Anastasiia Diachenko

Writer

Table of contents
  • What is PCI DSS, and Why Do You Need It?

  • PCI DSS Core Requirements

  • Determining Your PCI DSS Level and Self-Assessment Questionnaire (SAQ)

  • Are AWS Services PCI DSS-Compliant?

  • Step-by-Step AWS Setup for PCI DSS Compliance

  • Amazon Inspector for Vulnerability Management

  • Additional Onix Recommendations for a Successful PCI DSS Journey

  • PCI-Compliant AWS Architecture: Example

  • Conclusion

  • FAQ

miniBanner
Onix
form-block-background

Never miss a new blog post from us!

Join us now and get your FREE copy of "Software Development Cost Estimation"!

Your Name*
Work Email*
Company

This pricing guide is created to enhance transparency, empower you to make well-informed decisions, and alleviate any confusion associated with pricing. In this guide, you'll find:

01

Factors influencing pricing

02

Pricing by product

03

Pricing by engagement type

04

Price list for standard engagements

05

Customization options and pricing

call_to_action_bg

Tell us about your product idea and let the magic unfold.