
If your business handles credit or debit card payments, ensuring the safety of customers’ payment data is mission-critical. Meeting the Payment Card Industry Data Security Standard (PCI DSS) is not only a best practice—it’s often a contractual and legal requirement.
What is PCI DSS, and Why Do You Need It?
PCI DSS Core Requirements
Determining Your PCI DSS Level and Self-Assessment Questionnaire (SAQ)
Are AWS Services PCI DSS-Compliant?
Step-by-Step AWS Setup for PCI DSS Compliance
Amazon Inspector for Vulnerability Management
Additional Onix Recommendations for a Successful PCI DSS Journey
PCI-Compliant AWS Architecture: Example
Conclusion
FAQ
In this guide, Onix shares a detailed roadmap of what PCI DSS entails, why it’s vital, and how to align your AWS infrastructure accordingly. We’ll discuss key AWS services that can streamline and automate your compliance journey, drawing upon extensive real-world experience.

Discover how Onix smoothly migrated a complex app from Heroku to AWS, boosting capacity and flexibility at minimal cost
What is PCI DSS, and Why Do You Need It?
PCI DSS stands for Payment Card Industry Data Security Standard, a set of guidelines managed by the PCI Security Standards Council (PCI SSC).
These guidelines aim to safeguard cardholder data throughout the transaction lifecycle—from when the customer enters payment information to the secure storage of these details for future reference (when permitted).
The standard’s primary objectives include:
- Protecting cardholder data – ensuring robust encryption and data handling best practices.
- Maintaining a secure network – implementing firewalls, intrusion detection, and intrusion prevention systems.
- Regularly monitoring and testing networks – quarterly vulnerability scans, periodic penetration tests, and continuous security assessments.
- Maintaining an information security policy – setting clear protocols and procedures for managing, storing, and disposing of sensitive data.
Why it matters: Complying with PCI DSS fosters customer trust, protects your brand reputation, and prevents costly data breaches or fines. Non-compliance can lead to significant financial penalties, legal consequences, and damage to your company’s public image.
PCI DSS Core Requirements
There are 12 core requirements that organizations must meet to achieve PCI DSS compliance, grouped into six overarching goals:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Each requirement contains several sub-requirements, focusing on everything from firewall configuration to physical security measures. AWS covers many physical and environmental controls for you, but as the AWS customer, you remain responsible for properly configuring and maintaining the logical and application layers.
Determining Your PCI DSS Level and Self-Assessment Questionnaire (SAQ)
PCI DSS categorizes organizations by how many card transactions they process annually.
This classification determines the complexity and depth of audits you must undergo:
PCI Level | Annual Transaction Volume | Key Requirements |
1 | Over 6 million transactions per year | <ul><li>Annual QSA Audit (AOC)</li><li>Quarterly ASV Scans</li><li>Annual Penetration Testing</li></ul> |
2 | 1 million to 6 million transactions per year | <ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li><li>Annual Penetration Testing</li></ul> |
3 | 20,000 to 1 million transactions per year | <ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li></ul> |
4 | Fewer than 20,000 transactions per year | <ul><li>Self-Assessment Questionnaire (SAQ)</li><li>Quarterly ASV Scans</li></ul> |
Note: While Levels 1 and 2 require more rigorous testing, all levels must complete quarterly vulnerability scans. Level 1 merchants must also undergo an external audit conducted by a Qualified Security Assessor (QSA) to receive the Attestation of Compliance (AOC).

Look for a professional team to implement a cloud migration strategy for your product?
Choosing the Right Self-Assessment Questionnaire (SAQ)
The SAQ you must complete depends on your business model and how (or if) you store cardholder data. The difficulty escalates from SAQ A (fully outsourced payment processing, no storage of card data) to SAQ D (applies if you store, process, or transmit cardholder data internally).
SAQ Type | Description |
A | Merchants with fully outsourced card data functions (e.g., e-commerce using a third-party payment processor). No internal storage or processing of cardholder data. |
A-EP | E-commerce merchants that outsource all payment processing but have a website can impact the security of transactions. |
B | Merchants using only imprint machines or standalone, dial-out terminals, no electronic cardholder data storage. |
B-IP | Merchants using only standalone, PTS-approved IP-connected terminals, with no electronic cardholder data storage. |
C-VT | Merchants manually enter a single transaction at a time via an internet-based virtual terminal solution (no storage). |
C | Merchants with internet-connected payment application systems, no electronic storage of cardholder data. |
P2PE-HW | Merchants using only hardware payment terminals with a validated P2PE solution; no electronic cardholder data storage. |
D | For all other scenarios, including service providers and merchants storing, processing, or transmitting data in various ways. |
Are AWS Services PCI DSS-Compliant?
AWS holds a PCI DSS Level 1 Service Provider certification, the highest level available. By default, this means:
- Physical Security at AWS data centers (surveillance, guards, restricted access, etc.) meets PCI DSS standards.
- Managed Services like Amazon RDS, Amazon S3, AWS Lambda, and more have baseline compliance measures in place.
Shared Responsibility Model
However, compliance in the cloud follows a Shared Responsibility Model:
- AWS handles security OF the cloud (physical servers, data centers, network infrastructure).
- You, the customer, are responsible for security IN the cloud—your applications, operating systems, IAM policies, encryption, network configurations, and so on.
Successfully achieving PCI DSS compliance in AWS requires diligent attention to how you configure and manage your resources. You must ensure that your specific usage of AWS meets PCI DSS requirements for data protection, access control, and security monitoring.
Step-by-Step AWS Setup for PCI DSS Compliance
Step #1: Conduct Quarterly Network Scans with an Approved Scanning Vendor
A key requirement for all PCI DSS levels is performing quarterly vulnerability scans through an Approved Scanning Vendor (ASV):
1. Identify All In-Scope Assets
Make sure you include every domain, subdomain, IP address, and AWS resource that handles or could impact cardholder data.
2. Schedule Regular Scans
Conduct these scans at least every quarter or after any significant network changes (e.g., new public endpoints, major configuration updates).
3. Review and Remediate
Address issues flagged by the ASV, such as open ports (e.g., SSH on port 22 exposed to the public), weak SSL/TLS configurations, or HTTP endpoints that need redirection to HTTPS.
Example of Common Findings from ASV Scans:
Finding | Potential Impact | Remediation Step |
Open SSH Port (22) | Unauthorized server access | Restrict to known IPs or VPC-based access; use bastion hosts. |
Weak SSL/TLS Version (e.g., TLS 1.0) | Susceptible to SSL exploits | Disable old TLS/SSL in ALBs/ELBs, enforce TLS 1.2 or higher. |
HTTP Traffic Allowed | Sensitive data could be intercepted | Enforce HTTPS redirection via ALB or CloudFront. |
Pro tip: Some scanning solutions integrate with AWS APIs, making it easier to continuously discover new resources. For instance, SecurityMetrics or Qualys can be configured to scan automatically when new endpoints appear.
Step #2: Enable AWS Config to Track Configuration Changes
AWS Config is essential for logging every configuration change in your AWS environment. PCI DSS auditors may ask for proof of how your infrastructure changed over time—who modified security group rules, when a new IAM role was added, etc.
1. Scope
- All Resource Types: For most organizations, selecting “All resource types with customizable overrides” ensures full visibility.
- Targeted Resource Types: If you have an advanced setup, you can selectively monitor only certain resource types.
2. Recording Frequency
- Continuous Recording: More real-time, higher cost, but offers immediate insights into any drift from desired configurations.
- Daily Recording: Cost-effective but delays updates to the next day.
3. Service-Linked Roles and S3 Bucket
- Let AWS Config automatically create the required IAM role and S3 bucket to store your configuration history and snapshots.
AWS Config helps you meet multiple PCI DSS controls (for example, Requirements 1, 2, 5, 6, 10, 11) by maintaining a historical record of your system’s configuration states.
Step #3: Use AWS Security Hub for PCI DSS Checks
AWS Security Hub serves as a centralized console, pulling in data from various AWS security services—AWS Config, Amazon Inspector, Amazon Macie, and more—and mapping them against security frameworks, including PCI DSS.
Enabling PCI DSS Standards
In Security Hub, you can enable the PCI DSS standard. Security Hub then evaluates your resources against specific PCI DSS controls, assigning a Common Vulnerability Scoring System (CVSS) severity level. Examples:
- Publicly Accessible S3 Buckets: High-severity finding if it stores or might store cardholder data.
- Unencrypted RDS Instances: Medium-to-high severity depending on the type of data processed.
- Exposed EC2 Instances: Instances with open ports that could allow unauthorized access are flagged.
Reviewing Findings and Best Practices
Each identified issue comes with a recommended remediation path (e.g., enabling encryption in transit, restricting port access). AWS Security Hub works hand in hand with AWS Config to provide compliance statuses:
PCI DSS Control |
Security Hub Finding |
Recommended Action |
Req 3: Protect stored cardholder data | “EBS volume unencrypted” or “S3 bucket unencrypted” | Encrypt volumes and buckets with AWS KMS keys |
Req 1: Install/maintain firewall config to protect data | “Security group allows inbound traffic on 0.0.0.0/0” | Restrict inbound to known IP addresses or VPC ranges |
Req 8: Assign a unique ID to each person with access | “IAM user with no MFA” or “User with static credentials” | Enforce MFA, rotate credentials, apply least-privilege IAM |
Pro tip: Treat every finding as part of a continuous improvement cycle—fix, verify, and re-scan. Even small weaknesses can be exploited by advanced threat actors.
Amazon Inspector for Vulnerability Management
While network-level security checks are crucial, application-level and container security remain equally vital. Amazon Inspector automatically scans:
- EC2 Instances
- AWS Lambda functions
- Docker Images in Amazon ECR
How Amazon Inspector Works
1. Scanning for Known CVEs
Inspector searches for Common Vulnerabilities and Exposures (CVE) in software packages, operating systems, and frameworks.
2. Malware and Exploit Detection
It detects known malicious binaries, rootkits, or exploit code that can lead to privilege escalation or data exfiltration.
3. Prioritization with CVSS
Each finding gets a CVSS-based severity score (Low, Medium, High, Critical), helping security teams prioritize fixes.
Common Findings
Typical Vulnerability | Impact | Remediation |
Outdated OS Packages (e.g., older Linux distro with unpatched kernel) | Exploits allowing privilege escalation, data exposure | Update to latest OS patch versions regularly |
Vulnerable Application Libraries (e.g., Log4j) | Remote code execution | Update library versions, track known CVEs diligently |
Weak IAM Permissions for Lambda | Potential lateral movement or privilege abuse | Restrict roles and permissions, follow least privilege |
Pro tip: Integrate Inspector findings into your CI/CD pipeline. For instance, a pipeline can fail a build if a critical vulnerability is detected, ensuring no insecure images or code reaches production.
Additional Onix Recommendations for a Successful PCI DSS Journey
Separate Environments
Production, Staging, and Testing should ideally run in separate AWS accounts. This isolation (via AWS Organizations) ensures that a compromise in one environment does not automatically jeopardize another.
Automate Security and Compliance in CI/CD
Embed security checks in every phase of software delivery. Best practices include:
- Static Application Security Testing (SAST) to identify code vulnerabilities.
- Dynamic Application Security Testing (DAST) to test running applications for real-time flaws.
- Container Scanning in build pipelines to ensure Docker images remain up to date.
Enforce Key Rotation and Strong Credentials
Require multi-factor authentication (MFA) for all IAM users, and enforce regular rotation of access keys. This practice significantly lowers the odds of long-term unauthorized access.
Leverage Additional AWS Security Services
- AWS WAF (Web Application Firewall): Protects web applications from common exploits like SQL injection, cross-site scripting, and more.
- AWS Shield: A managed Distributed Denial of Service (DDoS) protection service, particularly useful for high-traffic e-commerce platforms.
- Amazon Macie: Automates the discovery of sensitive data (like personal information) in your S3 buckets, helping you manage PII and reduce accidental exposure.
Logging and Monitoring
Implement robust logging at every level:
- AWS CloudTrail for API activity.
- Amazon VPC Flow Logs for network traffic analysis.
- AWS Lambda logs in Amazon CloudWatch for serverless functions.
Retaining these logs is crucial for incident investigations and for meeting PCI DSS requirements around monitoring and logging (Requirement 10).
Keep Documentation Up-to-Date
PCI DSS audits can be demanding in terms of documentation. Maintain accurate network diagrams, firewall change records, incident response procedures, and security policies. Tools like AWS Systems Manager can automate some aspects of configuration documentation.
PCI-Compliant AWS Architecture: Example
Below is a high-level reference architecture for an e-commerce merchant aiming to meet PCI DSS requirements:
- AWS WAF + CloudFront: Provides basic firewall protection and content delivery optimization.
- ALB: Terminates TLS/SSL. Only secure connections (TLS 1.2 or higher) are allowed.
- EC2 Instances and Private Subnets: Segregated network layers reduce potential lateral movement.
- Amazon RDS: Encrypted at rest with AWS KMS. No direct public access—only accessible via private subnets.
- VPC Flow Logs: Monitors all traffic within the VPC.
- AWS Config & Security Hub: Continually monitors and evaluates resource configurations against PCI DSS controls.
- Amazon Inspector: Scans instances and containers regularly for vulnerabilities.
Conclusion
Achieving and maintaining PCI DSS compliance in AWS is an ongoing process—never a “set it and forget it” endeavor.
By leveraging AWS Config, Security Hub, Amazon Inspector, and best practices around network segmentation, encryption, and access control, you can streamline the compliance effort and significantly enhance your security posture.
Still, the journey to compliance can be intricate. That’s where Onix steps in:
- Over 20 years of expertise in delivering secure, scalable cloud solutions.
- End-to-End Support—from architectural design and documentation to audits and certification.
- Custom Solutions tailored to your unique business and technical requirements.
Ready to secure your AWS environment?
Contact Onix for a consultation, and let’s craft a robust, PCI DSS-compliant infrastructure that keeps your cardholder data secure and your business thriving. We look forward to guiding you on your path to compliance and helping you maintain the trust of customers worldwide.

Need a dedicated team for secure AWS development? Partner with Onix to build and maintain PCI DSS-compliant solutions with confidence
FAQ
1. What is PCI DSS compliance, and why is it important for AWS infrastructure?
PCI DSS, or Payment Card Industry Data Security Standard, is a set of security standards designed to ensure all companies that process, store, or transmit credit card information maintain a secure environment.
For any business using AWS infrastructure to handle payment data, PCI DSS compliance is critical. It helps protect customer cardholder information, reduces the risk of data breaches, and ensures you meet industry regulations.
Achieving PCI DSS compliance within your AWS cloud environment demonstrates that your systems follow best practices for securing payment data and reinforces trust with your customers.
2. How does AWS support PCI DSS compliance for my cloud environment?
AWS is PCI DSS compliant at the infrastructure level, which means you’re already starting with a secure and validated cloud foundation. AWS provides a PCI Compliance Package with detailed documentation and responsibilities to help you understand what security controls AWS covers and what remains your responsibility.
Many AWS services are PCI DSS compliant by default, including Amazon EC2, S3, RDS, and Lambda, which allows you to build PCI-compliant applications using these tools. AWS also offers security services like AWS Config, CloudTrail, and AWS Shield that help you meet core principles of PCI DSS compliance within AWS.
3. How long does it take to achieve PCI DSS compliance on AWS?
The time it takes to achieve PCI DSS compliance on AWS depends on the complexity of your environment, your existing security posture, and how well your team understands compliance requirements.
For startups or small applications, it might take a few weeks to a couple of months. For larger, more complex systems, it could take several months.
The good news is that using PCI-compliant AWS services and leveraging AWS’s shared responsibility model can speed up the process significantly. If you follow best practices for setting up a secure AWS environment from day one, you'll be much closer to being PCI compliant.
4. How can I ensure ongoing PCI DSS compliance in my AWS environment?
Achieving PCI DSS compliance in AWS is just the beginning. Maintaining it requires regular monitoring, updates, and audits. You need to continuously manage access controls, monitor logs, apply security patches, and update configurations as your environment evolves.
Using AWS services like AWS Config Rules, CloudTrail, GuardDuty, and Security Hub helps you detect non-compliance and stay audit-ready. Regularly reviewing your cloud architecture and documenting your compliance efforts ensures your AWS-based application remains PCI compliant over time.
5. What happens if my AWS environment fails a PCI DSS audit?
Failing a PCI DSS audit in your AWS environment can lead to serious consequences, including penalties from card networks, loss of the ability to process payments, reputational damage, and potential legal issues.
If your audit uncovers gaps, you’ll need to address them immediately. This might involve tightening access policies, encrypting sensitive data, or reconfiguring your infrastructure.
AWS provides tools and documentation to help you correct these issues quickly. It’s important to take a proactive approach so that your AWS application remains PCI-DSS compliant and audit-ready at all times.

Never miss a new blog post from us!
Join us now and get your FREE copy of "Software Development Cost Estimation"!
This pricing guide is created to enhance transparency, empower you to make well-informed decisions, and alleviate any confusion associated with pricing. In this guide, you'll find:
Factors influencing pricing
Pricing by product
Pricing by engagement type
Price list for standard engagements
Customization options and pricing
