PCI DSS on AWS, Built to Pass

Cardholder environments on AWS, done right.

In plain English: if your product touches card payments, PCI DSS decides how your AWS environment has to be built. We design and operate a tightly scoped, segmented cardholder data environment that an assessor can sign off, and we produce the evidence they ask for. We are not a QSA. We build the environment that passes.

AWS Advanced Tier Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
Scope First

The biggest cost lever is shrinking the CDE.

The cardholder data environment (CDE) is every system that stores, processes, or transmits card data, plus anything connected to it. PCI DSS applies to all of it. The single most effective thing we do is make that footprint as small as possible, because a smaller CDE means fewer systems to secure, fewer controls to evidence, and a cheaper, faster assessment.

Move data out of scope

Where possible we route cardholder data straight to the payment processor with hosted fields or a redirect, so your own systems never touch a full card number. Less data in your environment means less environment to assess.

Isolate what remains

Whatever must stay in scope goes into a dedicated, segmented part of the network with tight ingress and egress. Everything outside that boundary, proven by segmentation, is out of scope and does not carry PCI controls.

Network Segmentation

Keeping the cardholder environment small and isolated.

Segmentation is what lets you keep the rest of your estate out of scope, and it is what an assessor tests hardest. On AWS we build it with careful VPC design and workload isolation so the boundary is real, not just a diagram.

VPC and subnet design

The CDE lives in its own private subnets with no direct internet path, reached only through controlled load balancers and bastionless access. Security groups and network ACLs enforce least-privilege traffic in and out.

Workload isolation on ECS

In-scope services run as isolated ECS tasks with their own task roles and network paths, separated from non-CDE workloads. Secrets stay in Secrets Manager, and every data path is encrypted with TLS and KMS.

Requirements to AWS Controls

The 12 requirements, mapped to AWS.

PCI DSS is twelve requirement areas. Here is how each maps to the AWS controls we implement. AWS is itself a PCI DSS Level 1 Service Provider, so the platform beneath you is already assessed; these are the parts that are your responsibility, and ours to build.

Assessment Paths, Honestly

SAQ or QSA, and where we fit.

There are two ways your compliance gets validated, and which one applies depends on how card data flows, not on your size.

Self-Assessment Questionnaire (SAQ)

For lower-risk flows, often fully outsourced or redirect-based, you attest against a Self-Assessment Questionnaire. We map your data flows to the right SAQ, build the environment to satisfy it, and prepare the evidence so the self-assessment is honest and defensible.

QSA-led assessment

For higher-risk flows a Qualified Security Assessor performs a formal assessment and issues the Attestation of Compliance. We are not a QSA. We build the cardholder environment that passes, remediate findings, and hand the assessor the evidence they need. You choose the assessor; we make sure the assessment goes smoothly.

Related

Where PCI DSS connects.

Payments compliance rarely stands alone. If you are a payments or FinTech business, see FinTech on AWS for the wider regulatory picture, including DORA for EU financial entities. Requirement 11 penetration testing is covered by our VAPT service, and the security management system behind it all is our ISO 27001 practice.

Common Questions

PCI DSS on AWS, straight answers.

Do not see your question? Book a 30-minute call and ask directly.

Book a call →
Does using Stripe remove our PCI obligations?+
It reduces your scope, it does not remove it. A hosted payment page or Stripe Elements keeps most cardholder data off your servers, which can move you to a much smaller self-assessment. But you still have PCI DSS obligations: securing the systems that redirect to the processor, protecting your integration, patching, access control, and logging. We design the integration so your scope stays as small as it can be, then help you evidence the controls that remain.
What SAQ level applies to us?+
It depends on how card data flows through your environment, not on your size. A fully outsourced, redirect-based flow often qualifies for SAQ A. If your own servers touch or transmit cardholder data, you move up to SAQ A-EP, SAQ D, or a full Report on Compliance assessed by a QSA. We map your actual data flows first, because the flow determines the SAQ, and the SAQ determines the cost and effort.
Can you do the ASV scans?+
The quarterly external vulnerability scans required by Requirement 11 must be run by a PCI-approved scanning vendor (ASV), which is a separate accreditation. We are not an ASV, so we do not issue the passing scan report. What we do is build and harden the environment so it passes, remediate the findings, and coordinate the ASV scans and penetration testing. Our VAPT work covers the internal and application testing side.
Are you a QSA? Can you certify us?+
No. We are not a Qualified Security Assessor and we do not issue Attestations of Compliance. A QSA performs the assessment; we build the cardholder data environment that passes it and produce the evidence the assessor asks for. HAZERCLOUD is ISO 27001:2022 and ISO 9001:2015 certified and an AWS Advanced Tier Services Partner, so the control discipline is real, but the PCI attestation itself is always signed by an independent assessor or by you on a self-assessment.
How does AWS help with PCI DSS?+
AWS is a PCI DSS Level 1 Service Provider, which means the underlying infrastructure is already assessed. That covers AWS responsibilities under the shared responsibility model, not yours. You still have to configure your environment correctly: segment the cardholder data environment, encrypt data, control access, log everything, and manage change. We build on the assessed AWS foundation and implement your side of the shared responsibility.
How long does a cardholder environment build take?+
It depends on scope and your starting point. A greenfield, well-segmented environment with a small cardholder data environment is faster than retrofitting a large legacy estate. We start with a scoping and data-flow review so the timeline is based on your real environment rather than a generic estimate. Every engagement begins with a free scoping call that gives you a concrete plan before any commitment.
PCI DSS
Ready to build a cardholder environment that passes?

30 minutes on your PCI DSS AWS scope.

No sales pitch. We will look at how card data flows through your product, where the CDE really is, and what would surface in an assessment, then tell you honestly what a scoped, segmented, evidence-ready build would take. If we are not the right fit, we will say so.

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder

30 min Free Consultation →