
PCI DSS Compliance Checker for AWS
Is your AWS cardholder-data environment ready for PCI DSS v4.0? Answer 15 questions across the requirement groups your QSA weighs most to find gaps before your assessment.
- 15 questions
- 5 requirement areas
- Instant gap report
Question
Your PCI DSS Readiness Score
Across the PCI DSS v4.0 requirement groups most relevant to AWS
Score by Requirement Area
Get Your PCI DSS Gap Report
Requirement-by-requirement gap analysis with the specific AWS services that satisfy each control.
Gap report on its way!
Our AWS compliance team will review your scores and send a tailored remediation guide.
PCI DSS Gap Remediation Guide
Need Help Scoping Your CDE?
Our AWS security architects design PCI-compliant cardholder-data environments — network segmentation, tokenization, WAF, key management, and evidence automation. We can run a readiness review and map remediation to PCI DSS v4.0.
Book a Free PCI DSS Readiness Review →Who This Tool Is For
CTOs, security leads, and compliance owners at fintech, payments, and eCommerce companies that store, process, or transmit cardholder data on AWS. If you're preparing for a QSA assessment or completing an SAQ and haven't formally checked your controls, start here.
Why We Built This Tool
PCI DSS v4.0 has 12 requirements and hundreds of sub-controls, and the fastest way to blow a timeline is discovering a segmentation or logging gap during the assessment. This checker groups the requirements into the five areas that dominate AWS scope — network security, cardholder-data protection, access control, logging and monitoring, and vulnerability management — so you can triage before your QSA does.
What Problem It Solves
- Scope creep. An un-segmented CDE pulls your whole account into scope. This flags where segmentation and endpoints shrink it.
- Assessment surprises. Gaps found during a QSA engagement delay attestation and re-scope work. Surface them first.
- Encryption and key gaps. Requirements 3 and 4 are the most common failures. This checks encryption at rest, in transit, and key management.
- Missing evidence. PCI is an evidence exercise. This shows where AWS-native logging, WAF, and scanning produce it.
See our AWS security & compliance work for PCI DSS architecture, segmentation, and evidence automation.
Frequently Asked Questions
Is this a PCI DSS assessment?
No. A formal PCI DSS assessment is performed by a Qualified Security Assessor (QSA) or, for eligible merchants, via a Self-Assessment Questionnaire (SAQ). This tool is a self-assessment that helps you find and prioritize gaps before that formal process. It is triage, not attestation.
Does using AWS make me PCI compliant?
No. AWS is PCI DSS Level 1 certified as a service provider, which covers the infrastructure AWS operates — but under the shared responsibility model you own the controls in your environment: segmentation, encryption, access control, logging, and monitoring. You can request AWS's PCI attestation via AWS Artifact, but your own CDE still has to pass.
What is the cardholder data environment (CDE)?
The CDE is the people, processes, and technology that store, process, or transmit cardholder data — plus any systems connected to it. Minimizing and segmenting the CDE (for example, isolating it in a dedicated VPC/account with tight security groups) is the single most effective way to reduce PCI scope and cost.
What changed in PCI DSS v4.0?
v4.0 (mandatory since 2025) adds a customized-approach option, stronger authentication (MFA for all access into the CDE), expanded requirements around scripts and phishing, and more targeted risk analyses. Several requirements moved from best practice to mandatory — which is why re-checking your posture against v4.0 specifically matters.
