PCI-DSS v4.0 Compliance Checklist for E-Commerce on AWS

Key Takeaways

✓PCI DSS v4.0 grace period ended March 31, 2025 — all 47 new requirements are now fully mandatory

✓Fines: $5,000-$10,000/month (first 90 days) scaling to $50,000-$100,000/month by month seven

✓AWS being PCI Level 1 does NOT make your app compliant — shared responsibility model covers only infrastructure

✓Full 12-requirement checklist mapped to specific AWS services: WAF, KMS, Macie, GuardDuty, Security Hub, CloudTrail

✓Proper CDE segmentation cuts audit scope by 60-70%, saving $23,000-$41,000 in QSA assessment costs annually

The grace period is over. You are being fined right now.

If your e-commerce store is processing card payments on AWS and you haven't audited your stack against PCI DSS v4.0 since March 2025, you are sitting on a live fine. Not a risk. A fine. Every "best practice" requirement that your QSA previously marked as "Not Applicable" is now fully mandatory. Penalties start at $5,000-$10,000/month for the first 90 days, scaling to $50,000-$100,000/month by month seven.

A breach while non-compliant? One-time penalty of $500,000 to $5,000,000 — plus full fraud liability on every compromised card. Target's 2013 breach (largely tied to PCI gaps) cost $292 million total.

We work with e-commerce brands on AWS every week. What we keep seeing is not deliberate ignorance — it is founders and CTOs who think they are covered because AWS is a PCI Level 1 Service Provider. That assumption has already cost more than one company tens of thousands of dollars in emergency remediation.

The Trap Everyone Falls Into: AWS Shared Responsibility

AWS being a PCI DSS Level 1 Service Provider does not mean your application is PCI compliant. It means AWS has secured the physical data centers, the hypervisor layer, and the hardware infrastructure. That is AWS's half.

Your Half of the Responsibility

Your EC2 operating systems, your IAM policies, your S3 bucket permissions, your application code, your encryption configuration, your access logs, and your network topology.

We have seen clients leave an S3 bucket public for 11 months — storing order receipts with truncated PANs — because they assumed the AWS PCI attestation covered it.

It does not. The moment you misconfigure a security group and expose your payment processing layer to the public internet, you own that audit finding entirely.

What Actually Changed in v4.0 (The Parts Your Team Is Missing)

PCI DSS v4.0 introduced 47 new requirements on top of the existing 12-requirement framework. Here are the five that e-commerce teams on AWS get wrong most often.

PCI DSS v4.0 zero-trust inside the cardholder data environment showing AWS IAM Identity Center enforcing MFA everywhere per requirements 8.4 and 8.5 and blocking remote PAN copy-pasting per requirement 3.4.2 via AWS Systems Manager Session Manager

Req 6.4.2 — WAF on Every Payment Page. You now need a Web Application Firewall detecting and blocking web-based attacks on your checkout flow. Not optional. Not "best practice." Mandatory. On AWS, this maps directly to AWS WAF in front of your ALB or CloudFront distribution serving the checkout page.

Req 6.4.3 — Payment Page Script Authorization. Every JavaScript running on your payment page must be inventoried, authorized, and integrity-verified. Direct response to Magecart-style skimming attacks that stole card data from 380+ e-commerce sites in a single 2019 campaign. Running Google Tag Manager with 14 third-party scripts and no Content Security Policy? You fail this requirement on day one.

Req 8.4 & 8.5 — MFA Everywhere in the CDE. v3.2.1 only required MFA for remote access. v4.0 requires MFA for all access into the Cardholder Data Environment — local admin access included. AWS IAM with hardware MFA tokens or virtual authenticators via AWS IAM Identity Center covers this, but only if you have correctly scoped your CDE boundary first.

Req 3.4.2 — No PAN Copy via Remote Access. If your developers use AWS Systems Manager Session Manager to access production servers that touch PAN data, you now need technical controls preventing copy-paste of card numbers to local clipboards. Most teams have zero controls here.

Req 10.7.3 — Respond to Critical Control Failures Promptly. Now mandatory for all entities. If your AWS CloudTrail goes silent for 6 hours because someone accidentally disabled it, you need a documented, tested response process — not a Slack message saying "hey, our logs stopped."

The Full PCI-DSS v4.0 Checklist on AWS

This maps all 12 PCI DSS requirements to the specific AWS services that fulfill them. If you can't map a requirement to an active, configured service — you have a gap.

Req 1 — Network Security Controls (Firewalls)

▢ VPC with private subnets isolating all CDE resources from public-facing systems

▢ Security Groups configured with deny-all defaults; only explicitly permitted ports open

▢ AWS Network Firewall or WAF deployed at the CDE perimeter

▢ VPC Flow Logs enabled and routed to CloudWatch or S3 for 12-month retention

▢ Network diagrams updated quarterly (v4.0 now requires these for QSA assessment)

Req 2 — Secure Configurations

▢ No default passwords on any EC2, RDS, or third-party service

▢ AWS Systems Manager Patch Manager enforcing OS-level hardening baselines

▢ AWS Config Rules actively checking for non-compliant resource configurations

▢ All configuration standards documented, including every AWS service in scope

Req 3 — Protect Stored Account Data

▢ Full PAN data is NOT stored post-authorization — if you are storing raw card numbers in DynamoDB or RDS, stop reading this and call your payment processor

▢ Tokenization via a PCI-validated gateway (Stripe, Braintree) so your AWS environment never touches raw PAN

▢ AWS KMS encrypting database at rest with customer-managed keys

▢ Amazon Macie scanning S3 buckets for accidental PAN data storage

▢ Keyed cryptographic hashes (not plain SHA-256) if hashing renders PAN unreadable — Req 3.5.1.1

Req 4 — Protect Cardholder Data in Transit

▢ TLS 1.2 minimum on all ALB and CloudFront distributions (TLS 1.0 and 1.1 explicitly disabled)

▢ AWS Certificate Manager managing certificates with auto-renewal

▢ No cardholder data transmitted over unencrypted email, messaging, or API calls

Req 5 — Protect Against Malicious Software

▢ Amazon Inspector continuously scanning EC2 and container images for vulnerabilities

▢ Amazon GuardDuty enabled across all AWS accounts, monitoring for malware indicators

▢ Antimalware agents deployed on any self-managed EC2 instances in the CDE

Req 6 — Develop and Maintain Secure Systems

▢ AWS WAF deployed in front of checkout flow with OWASP Top 10 ruleset — Req 6.4.2

▢ Content Security Policy (CSP) header on all payment pages restricting script sources — Req 6.4.3

▢ Subresource Integrity (SRI) hashes on all third-party scripts at checkout

▢ AWS CodePipeline with Inspector scan gate blocking deployments with critical CVEs

▢ Penetration testing conducted at least annually and after significant changes

Req 7 & 8 — Access Control & Authentication

▢ AWS IAM policies using least-privilege; no *:* wildcard policies on any CDE account

▢ Service Control Policies (SCPs) in AWS Organizations preventing privilege escalation

▢ Access reviews every 6 months; inactive IAM users disabled after 90 days

▢ AWS IAM Identity Center with MFA enforced for ALL console and API access — Req 8.4/8.5

▢ No shared IAM users; every human and service has a unique identity

▢ AWS Secrets Manager rotating database credentials automatically; zero hard-coded creds in code

Req 9 — Physical Access

▢ AWS handles the physical data center layer — covered by AWS's PCI Level 1 attestation

▢ Document that physical access to developer workstations and on-premise systems is controlled if any CDE data touches them

Req 10 — Logging and Monitoring

▢ AWS CloudTrail enabled in all regions with log file validation and 12-month retention

▢ CloudWatch alerting on CloudTrail deletion, MFA disablement, root account usage

▢ AWS Security Hub with PCI DSS v4.0 standard enabled for automated compliance scoring

▢ Critical security control failure response process documented and tested — Req 10.7.3

▢ Logs tamper-protected: CloudTrail logs in a write-once S3 bucket with S3 Object Lock

Req 11 — Test Security Systems Regularly

▢ Internal vulnerability scans quarterly via Amazon Inspector

▢ External vulnerability scans by a PCI SSC-approved ASV quarterly

▢ Penetration test annually; scope must include CDE on AWS

▢ ALL vulnerabilities tracked and remediated (not just high/critical) — new Req 11.3.1.1

▢ AWS Config drift detection alerting when any CDE resource configuration changes

Req 12 — Security Policies & Procedures

▢ Written information security policy covering all 12 PCI requirements, reviewed annually

▢ Risk assessment conducted annually and after significant environmental changes

▢ Third-party vendor (including AWS) compliance responsibilities documented in the Responsibility Assignment Matrix

▢ Incident response plan tested annually; AWS Incident Detection and Response service considered for critical workloads

▢ All personnel handling cardholder data complete security awareness training annually

The 5 Scoping Mistakes That Blow Up Your Audit

PCI DSS scope segmentation comparison showing over-scoped architecture with marketing servers mixed with payment integrations making entire VPC subject to audit versus segmented CDE in dedicated private VPC cutting audit scope by 60 to 70 percent saving 23000 to 41000 dollars in QSA assessment costs

Mistake 1: Over-Scoping Kills Your Audit Budget

The problem: If your marketing EC2 instance sits in the same VPC as your payment processor integration, congratulations — your marketing server is now in scope for PCI.

We segment the CDE into its own VPC (or dedicated AWS account) from day one

Cuts audit scope by 60-70%. Saves $23,000-$41,000 in QSA costs annually.

Mistake 2: Ignoring the Payment Page Even With Stripe

Using Stripe.js or Braintree's hosted fields reduces your scope but does not eliminate Requirement 6.4.3. Every script tag on that checkout page is still your responsibility.

We have seen teams with 23 active third-party scripts on checkout pages — pixels, heatmaps, A/B testing tools — none of them inventoried.

Mistake 3: Multi-Account AWS Organizations With No SCPs

Developers with admin access in your dev account can often escalate privileges into production if your AWS Organization has no guardrails.

One misconfigured IAM trust policy and your entire CDE is one assume-role call away from a developer's laptop.

Mistake 4: Treating AWS Config as "Nice to Have"

AWS Config is not optional for PCI. It is your continuous compliance audit trail. Without it, your QSA will ask how you detect configuration drift.

"We check manually" is not an acceptable answer at any merchant level.

Mistake 5: Forgetting Lambda and Containers Are in Scope

If your Lambda function processes a webhook from your payment gateway, that Lambda is in your CDE. Its execution role, its environment variables, and its VPC placement are all audit findings waiting to happen.

Secrets get hard-coded in Lambda environment variables 73% of the time, in our experience.

The 12-Week Implementation Sequence That Works

Most teams try to implement all 12 requirements simultaneously and end up with a half-finished compliance project 8 months later. Here is the sequence that works.

Timeline	What Happens	AWS Services Activated
Week 1-2	Scope and Segment. Define CDE boundary. Move CDE workloads to isolated VPC/dedicated account.	CloudTrail, Config, Security Hub, GuardDuty
Week 3-4	Identity and Access Hardening. Enforce MFA via IAM Identity Center. Rotate creds. Kill every `:` policy.	IAM Identity Center, Secrets Manager, SCPs
Week 5-6	Data Protection Layer. Scan S3 for PAN data. Enable KMS encryption on RDS, DynamoDB, EBS. Confirm tokenization.	Macie, KMS, Certificate Manager
Week 7-8	Payment Page Hardening. Deploy WAF with managed rules. Implement CSP headers. Inventory every checkout JS.	AWS WAF, CloudFront, ALB
Week 9-10	Monitoring and Alerting. Build CloudWatch dashboards. Route Security Hub findings to ticketing within 15 minutes.	CloudWatch, Security Hub, EventBridge
Week 11-12	QSA Readiness. Run Security Hub PCI standard. Resolve critical findings. Commission external scan. Prepare documentation.	Security Hub PCI Standard, Inspector

Reality check: A well-staffed team on AWS can achieve a fully documented, audit-ready CDE in 11-13 weeks on a first implementation. Teams that skip the scoping step in Week 1 typically spend 37 additional hours untangling the mess before their QSA assessment.

Why "We Use a Hosted Payment Page" Is Not a Strategy

This is the most dangerous misconception we encounter. Using Stripe's hosted checkout or PayPal's redirect drops you to SAQ A — the lightest compliance tier covering 22 requirements. But it does not mean you ignore the other requirements for your AWS environment.

Insider Warning

If your order management system, customer data, or any part of the post-payment workflow runs on AWS and touches cardholder names, emails connected to transactions, or order identifiers linked to payment records — you still have a scope. Your QSA will find it. Your acquirer will find it. And if a breach finds it first, the "but we use Stripe" defense costs you exactly $0 in protection.

PCI DSS v4.0 continuous compliance engine synthesis diagram showing AWS Config and Security Hub at center connected to perimeter defense via AWS WAF data protection via KMS and Macie and access control via IAM Identity Center in continuous monitoring loop where any disabled or misconfigured piece breaks compliance in real time

Frequently Asked Questions

Is AWS automatically PCI DSS compliant for my e-commerce store?

No. AWS holds a PCI DSS Level 1 Service Provider certification covering the physical infrastructure and managed services layer. Your application configurations, IAM policies, network architecture, and data handling practices are your responsibility under the shared responsibility model.

Which AWS services are in scope for PCI DSS v4.0?

Over 100 AWS services are in scope, including EC2, RDS, S3, Lambda, API Gateway, CloudFront, AWS WAF, GuardDuty, Security Hub, KMS, Secrets Manager, CloudTrail, VPC, and IAM. Any service storing, processing, or transmitting cardholder data — or impacting the security of systems that do — falls within your CDE audit boundary.

What is the biggest new v4.0 requirement for e-commerce on AWS?

Requirements 6.4.2 and 6.4.3. Requirement 6.4.2 mandates a WAF on all payment pages, and 6.4.3 requires every script executing on your payment page to be inventoried and integrity-verified. These two alone require AWS WAF deployment plus a full audit of every third-party JavaScript tag on your checkout flow.

How long does PCI DSS v4.0 compliance take on AWS from scratch?

For a mid-size e-commerce business with a properly scoped CDE, expect 11-13 weeks to reach QSA-ready status with a structured implementation sequence. The most common delay is scope definition — teams that skip proper CDE segmentation spend an extra 4-6 weeks reworking their AWS architecture.

What happens if we have a breach while non-compliant?

Beyond recurring monthly fines ($5,000-$100,000/month), a breach while non-compliant triggers a one-time fine from card brands of $500,000 to $5,000,000. You also assume full fraud liability, face mandatory forensic investigation costs ($50,000-$200,000), and risk having your card processing ability terminated by your acquiring bank.

Stop Running a Compliant-Looking Stack That Isn't

PCI DSS v4.0 on AWS is not a one-time project. It is a continuous state. If CloudTrail, Config, Security Hub, or GuardDuty are disabled, misconfigured, or unmonitored — you are non-compliant right now, regardless of what last year's SAQ says. We will identify your three most critical gaps in 15 minutes.