All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS hadn't been cooperative when their other clients were trying to achieve compliance and had to go to Rackspace instead. The issues they ran into were,
- AWS isn't providing itemized list of controls assessed in AWS' own PCI audit, making it impossible for auditor to mark which items are covered off by AWS and which are the responsibility of the client
- AWS isn't clarifying how the hypervisor was assessed and which tests were performed to ensure tenant isolation
Update: This question was originally asked on StackExchange, but was voted down as not appropriate for that site https://stackoverflow.com/questions/6851259/has-anyone-achieved-level-1-pci-compliance-on-aws