AWS releases updated PCI PIN compliance report for payment cryptography

Amazon Web Services has published an updated Payment Card Industry Personal Identification Number (PCI PIN) compliance package for its AWS Payment Cryptography service, confirming a recent third-party audit of the platform. The report package is now accessible through AWS’s compliance portal.

Two PCI PIN compliance reports included

The update includes two primary deliverables. The first is a PCI PIN Attestation of Compliance (AOC) showing that a Qualified Security Assessor (QSA) validated AWS Payment Cryptography against the PCI PIN security standard with zero findings. The second is a PCI PIN Responsibility Summary that offers guidance on customer obligations for operating systems that handle PIN-based transactions.

AWS said the audit was conducted by Coalfire, an independent assessor recognized by the PCI Security Standards Council.

Background on AWS Payment Cryptography

AWS Payment Cryptography is a managed cloud service designed to handle payment-related cryptographic operations and key management that align with established payment industry standards. These standards include PCI PIN, PCI Point-to-Point Encryption (P2PE), and the broader PCI Data Security Standard (PCI DSS).

The service uses hardware security modules (HSMs) certified to Payment Card Industry PIN Transaction Security (PTS) HSM requirements, and it is intended to support use cases such as card issuance, transaction processing, and PIN validation in cloud-native environments.

Organizations that run payment applications on AWS often confront rigorous compliance demands. Industry standards like PCI PIN define controls for the management, processing, and transmission of personal identification numbers and cryptographic keys. Qualified PIN Assessors evaluate adherence to these standards in environments that handle PIN data.