[whouweling]

I wonder: is EC2 secure enough for this type of credit card store? What if the management layer running the underlying hosts is vulnerable or a XEN zero-day vulnerability shows up?

I'm sure Amazon does a lot on securing its infrastructure, but for credit card data wouldn't a physical, fenced off server be more secure?

[wolfwyrd]

I suppose it comes down to the amount of investment available. Amazon can pour resources into security, monitoring and have a large staff actively keeping an eye on such things. They're signed off for PCI compliance Level 1[0] (Any service provider that stores, processes and/or transmits over 300,000 transactions annually) which helps isolate you from a lot of costs around getting your dedicated hardware audited yourself.

It's also worth noting that Amazon.com itself is hosted off AWS (since ~2010) though I'm struggling to find a good cite for that

[0] http://aws.amazon.com/compliance/pci-dss-level-1-faqs/

[1] http://www.dummies.com/how-to/content/amazoncom-runs-on-amaz...