← back to blog
security · Jul 13, 2025 · 14 min read

Designing a PCI-DSS Compliant Platform on AWS

Architecting a PCI-DSS Level 1 compliant platform on AWS — featuring network segmentation, encryption everywhere, comprehensive audit logging, and continuous compliance monitoring.

SJ
Sabin Joshi
DevOps Engineer
#pci-dss#compliance#encryption#audit#security-hub#waf

Understanding PCI-DSS Scope

PCI-DSS applies to any system that stores, processes, or transmits cardholder data (CHD). The most important architectural decision you'll make is minimizing scope — the fewer systems that touch CHD, the fewer systems you need to secure and audit.

Our architecture uses tokenization via a third-party vault (Basis Theory) so that our primary application layer never touches raw PANs. Only our payment processing microservice is in-scope for PCI.

💡Tokenize card data before it reaches your application. Use Stripe, Braintree, or a dedicated vault. This keeps the majority of your infrastructure out of PCI scope entirely.

Network Segmentation

PCI Requirement 1 mandates isolation of the cardholder data environment (CDE). We implement this with dedicated VPCs, strict NACLs, and AWS Network Firewall.

PCI-DSS Network Segmentation on AWS
Internet WAF + AWS Shield DMZ VPC (public subnets) ALB / NLB VPN Gateway App VPC (private subnets) App Services Non-PCI workloads CDE VPC ⚠ PCI scope Payment Svc Token Vault AWS Network Firewall CloudTrail + Security Hub All cross-VPC traffic via Transit Gateway with firewall inspection CDE has zero internet egress — all external calls via PrivateLink

Encryption Requirements (Req. 3 & 4)

PCI requires encryption of CHD at rest and in transit. Our implementation:

  • At rest: All EBS volumes, RDS instances, and S3 buckets encrypted with KMS CMKs. Key rotation enabled with 90-day policy.
  • In transit: TLS 1.2 minimum enforced at ALB, API Gateway, and all internal service-to-service communication via mTLS.
  • Key management: AWS KMS with CloudHSM for HSM-backed keys in the CDE.
# KMS key with automatic rotation
resource "aws_kms_key" "cde_key" {
  description             = "CDE data encryption key"
  enable_key_rotation     = true
  deletion_window_in_days = 30
  policy = jsonencode({
    Statement = [{
      Effect    = "Allow"
      Principal = { AWS = "arn:aws:iam::ACCOUNT:root" }
      Action    = ["kms:*"]
      Resource  = "*"
      Condition = {
        StringEquals = {
          "kms:ViaService" = "rds.us-east-1.amazonaws.com"
        }
      }
    }]
  })
}

Audit Logging (Req. 10)

PCI requires logging all access to system components and cardholder data. We use a centralized logging architecture: CloudTrail feeds into S3 with integrity validation, Athena for querying, and OpenSearch for real-time alerting.

⚠️PCI requires 12 months of log retention, with the most recent 3 months immediately accessible. S3 Intelligent-Tiering makes this cost-effective — recent logs on Standard, older logs on Glacier Instant Retrieval.

Continuous Compliance with Security Hub

Manual audits aren't enough. We run AWS Security Hub with the PCI-DSS standard enabled, which checks over 200 controls automatically. Failed controls trigger PagerDuty alerts and are tracked in a dedicated compliance dashboard. Our current score: 97.8% passing controls.

Working with a QSA

A Qualified Security Assessor (QSA) will audit your environment for Level 1 compliance. Key tips: document your network diagrams meticulously, maintain a data flow diagram showing where CHD moves, and use AWS Artifact to provide compliance reports (SOC 2, ISO 27001) as supporting evidence. The audit process takes 2–3 months; start early.