PCI DSS Compliant Architecture on AWS
If your application touches credit card numbers, you are in scope for PCI DSS. For FinTech companies, payment processors, and e-commerce platforms building on AWS, PCI compliance is a business requirement enforced by the card brands themselves. Visa, Mastercard, and the other payment networks require every organization in the payment chain to demonstrate compliance -- and non-compliance can result in fines up to $500,000 per incident, increased transaction fees, or loss of the ability to process cards entirely.
The single most important architectural decision in PCI DSS is scope management. Every system that stores, processes, or transmits cardholder data -- and every system connected to those systems -- falls within your Cardholder Data Environment (CDE). A poorly scoped architecture means your entire infrastructure is in scope, making compliance expensive and audits painful. A well-scoped architecture isolates the CDE, uses tokenization to minimize where card data exists, and reduces the compliance surface to the smallest possible footprint.
This course gives you the architecture patterns for building PCI DSS compliant infrastructure on AWS with an emphasis on scope reduction. You will learn how to isolate your CDE, implement the 12 PCI DSS requirements using AWS services, and prepare for your QSA assessment.
Key Requirements​
PCI DSS Scope and the CDE​
The Cardholder Data Environment includes all systems that store, process, or transmit cardholder data (card numbers, CVVs, PINs) plus any system that is connected to those systems. Scope is determined by data flow, not by intention. If cardholder data touches a system, that system is in scope.
The 12 PCI DSS Requirements​
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
Scope Reduction Strategies​
- Tokenization -- Replace card numbers with tokens that have no exploitable value. The token vault (handled by a payment processor) is in scope, but systems using tokens are not.
- Point-to-Point Encryption (P2PE) -- Encrypt card data at the point of interaction so your systems never see cleartext card numbers.
- Network segmentation -- Isolate the CDE from the rest of your infrastructure so only the CDE systems are in scope.
- Outsourcing -- Use PCI-compliant payment processors (Stripe, Adyen, Braintree) to handle card data so your systems never touch it directly.
What This Course Covers​
| Module | Topic |
|---|---|
| 1 | PCI DSS scope definition and CDE boundaries -- identifying cardholder data flows, defining CDE boundaries, and documenting scope |
| 2 | Network segmentation for scope reduction -- VPC architecture, subnet isolation, security groups, NACLs, and PrivateLink for CDE isolation |
| 3 | Cardholder data encryption and tokenization -- KMS encryption policies, tokenization architecture, and integration with payment processors |
| 4 | Access control and MFA for CDE -- IAM policies, role-based access, MFA enforcement, and privileged access management for CDE systems |
| 5 | Logging, monitoring, and file integrity -- CloudTrail, CloudWatch, Security Hub PCI standard, and file integrity monitoring for CDE |
| 6 | Vulnerability management and patching -- Inspector, ECR scanning, Systems Manager patching, and vulnerability management workflows |
| 7 | Incident response and breach procedures -- detection, containment, card brand notification requirements, and forensic investigation procedures |
Complete PCI DSS Architecture Guide
Get the complete PCI DSS architecture guide with CDE reference architectures, network segmentation templates, tokenization integration patterns, IAM policies for CDE access control, and QSA assessment preparation checklists for FinTech and e-commerce on AWS.