{"id":1732,"date":"2023-11-28T12:39:24","date_gmt":"2023-11-28T11:39:24","guid":{"rendered":"https:\/\/pcihispano.com\/?p=1732"},"modified":"2026-05-06T19:16:04","modified_gmt":"2026-05-06T17:16:04","slug":"aws-publica-su-guia-de-cumplimiento-con-pci-dss-v4-0","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/aws-publica-su-guia-de-cumplimiento-con-pci-dss-v4-0\/","title":{"rendered":"AWS publishes its PCI DSS v4.0 compliance guide"},"content":{"rendered":"

As part of its efforts to facilitate the implementation of controls of different security standards in its customers' environments, Amazon Web Services<\/a> (AWS), as a cloud service provider (Cloud Service Provider<\/em> \u2013 CSP), published in August 2023 the update of its Compliance Guide in PCI DSS, this time aligning it with the controls of this standard in its version 4.0.<\/span><\/p>\n

According to the definition of NIST<\/a>, ,Cloud computing is a model that enables ubiquitous, convenient and on-demand access to a shared set of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be quickly provisioned and released with minimal management effort or interaction with the service provider.\u2019<\/em><\/span>. The main factors driving the growth of the global cloud computing market are the expansion of digital transformation in companies, the increase in Internet adoption (including the use of 5G), the massification of mobile devices worldwide and the increased consumption of state-of-the-art services and platforms, including IoT and industrial solutions, Big Data, edge computing<\/em> and real-time analytics and Artificial Intelligence (AI), the use of which increases the value of computer technology among companies.<\/p>\n

Currently, the cloud services market is mature and consolidated, with Amazon Web Services (AWS) as the leading provider, followed by Microsoft Azure and Google Cloud Platform (GCP):<\/p>\n

\"Infographic:<\/a><\/p>\n

Due to the innate dependence that an entity will have on its cloud service provider (Cloud Service Provider<\/em> \u2013 CSP) and once you migrate your services on-premises<\/em> to the cloud, it is important to consider the type of services and the responsibility that will be delegated to that provider. Likewise, if the services migrated to the cloud process, store or transmit payment card data, the scope of customer compliance may be extended to the infrastructure of the employed CSP.<\/p>\n

\"\"<\/p>\n

In accordance with PCI DSS v4.0 requirement 12.8, an entity shall maintain a list of service providers with whom it shares card data or whose services may affect the security of managed card data. This requirement also affects cloud service providers. To support and guide entities in the process of technical, legal and compliance assessment of different cloud service providers, in April 2018 the PCI SSC published the document.Information Supplement \u2013 Cloud Computing Guidelines<\/a>\u00ab, which describes the relationships between the CSP and its clients and the different considerations to be analyzed from the perspective of PCI DSS compliance, including risk analysis, due diligence (due diligence<\/em>), service level agreements, continuity and disaster recovery plans, incident management and different technical safety considerations for environments multi-tenancy<\/em>, hypervisor and container control, cryptography, event log management, etc.<\/p>\n

Amazon Web Services (AWS) and PCI DSS<\/h3>\n

The relationship between AWS and PCI DSS dates back many years. AWS was one of the first CSPs to validate its own infrastructure in PCI DSS to facilitate the integration into its environment of entities affected by compliance with that standard. To this day, AWS has more than 100 services within the scope of its PCI DSS validation<\/a> and makes its compliance reports available to its customers (Attestation of Compliance<\/em>) which can be unloaded in AWS Artifact<\/a>.<\/p>\n

The fundamental element in this compliance scenario where the customer and CSP environment are involved is called \u2018shared responsibility model\u2019<\/span> (shared responsibility<\/em>). This model establishes the responsibility in the operation and management of both the underlying technological platform and the physical facilities and services involved in the environment. In the case of AWS, your shared responsibility model<\/a> states that AWS's responsibilities are limited to the security of the cloud platform (responsibility for security OF the cloud<\/em>) , while the responsibility of the client entity will focus on the security of the services executed on that platform (responsibility for security IN the cloud<\/em>), with a number of controls shared between the two actors. As indicated in req. 12.8.5 of PCI DSS, AWS also provides a matrix of responsibilities for each of the PCI DSS controls, which can be downloaded at AWS Artifact<\/a>:\"\"<\/p>\n

AWS PCI DSS v4.0 Compliance Guide<\/h3>\n

In addition to the AWS infrastructure's PCI DSS compliance, the AWS Security Assurance Services<\/em> AWS developed the documentPayment Card Industry Data Security Standard (PCI DSS) v4.0 on AWS \u2013 Compliance Guide\u2019<\/a>, which includes a detailed description of the AWS service for environments affected by PCI DSS v4.0 compliance and different recommendations and best practices for each of the requirements groups, thus becoming an indispensable reading document for any entity that uses AWS services in its PCI DSS environment or for any QSA that has to evaluate environments deployed in this CSP.<\/p>\n