According to this link: http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/

According to this link: http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/Amazon's AWS EC2, EBS, S3 and VPC services have been validated according to the criteria of a Level 1 Service Provider.

What's interesting is that as of today 9 March 2011 both Visa's and Mastercard's lists of Compliant Service Providers list different dates and QSAs - perhaps one for the Merchant services and one for the Service Provider ones? But then Merchants would not get listed, so why the discrepancy.

Another interesting inconsistency is the following statement: "Because our validation was completed and submitted on November 30, 2010, Visa’s site may not be updated yet.... This secure architecture has been validated by an independent QSA and was found to be in compliance with all requirements of DSS version 2.0 published in October 2010."

Technically speaking no v2.0 assessments should have been performed before Jan 1 2011 - or am I missing something?(These were just side thoughts, slightly off-topic, but definitely thought provoking too)

There is a fairly detailed FAQ link on the above page which answers the common questions that spring to mind at the thought of Compliance in the Cloud: http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

There are a couple of interesintg Questions and Answers in there, which I thought to put out for some feedback and discussion:

Q? Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?

A! No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). (more text in the full FAQ)

Q? Will AWS cooperate with forensic investigations if required?

A! Yes. AWS is classified as a shared hosting provider and as specified in DSS requirement A.1.4 has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. (more text in the full FAQ)
 

Q? Is there a special PCI compliant environment I need to specify when bringing up servers or uploading objects to store?

A! No. The entire infrastructure that supports EC2, S3, EBS and VPC is compliant and there is no separate environment or special API to use. (more text in the full FAQ)
 

Q? Does the PCI standard require single-tenant environments in order to be compliant?

A!  No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment. 

Those are just a few of the Q&As, more on the second link above.
1). I was wondering if anyone has validated either as a QSA a Merchant or Service Provider using infrastructure in the cloud?

2). Has anyone been validated as a Merchant or Service Provider hosting infrastructure in the cloud?

3). The Amazon FAQ seems to talk about the Physical Security Controls which have been the focus of the validated services they provide. The FAQ confirms this is a virtualized environment and the requirements dealing with the virtualization controls have been met. Would there be any other controls besides those that need to be validated or can be relied upon as validated by Amazon's QSA?

Please feel free to post other cloud compliant service providers, additional questions and comments to the above queries.

I hope everyone can benefit from a professional exchange of information, opinions and tips.

Martin