Cloud infrastructure is now the default deployment environment for Indonesian fintech and payment platforms. AWS, GCP, and Azure have each invested heavily in PCI DSS-compliant infrastructure offerings. But cloud does not reduce PCI DSS obligations — it redistributes them. The shared responsibility model determines which controls the cloud provider manages and which the organization must implement itself. Misunderstanding this model is the primary source of PCI DSS compliance gaps in cloud-deployed CDEs.
The Shared Responsibility Model for PCI DSS
Under the cloud shared responsibility model, the cloud provider secures the physical infrastructure (data centers, hardware, networking, hypervisor), while the customer secures the workloads, data, identity, and configuration running on top of that infrastructure. For PCI DSS:
| Control Layer | Cloud Provider Responsibility | Customer Responsibility | PCI DSS Requirement |
|---|---|---|---|
| Physical security | Data center physical access controls, environmental security | Confirm provider's physical security (via AoC review) | Req 9 (physical) |
| Hardware / hypervisor | Server hardware security, hypervisor isolation between tenants | No action required — provider manages | Inherited from provider |
| Network infrastructure | Underlying physical network security | VPC/VNet configuration, security groups, firewall rules | Req 1 |
| Compute OS patching | Provider patches hypervisor; NOT the guest OS | Patch the operating systems running on cloud instances | Req 6 |
| Identity and access | Provider secures its own console access | Customer manages IAM roles, users, policies, MFA | Req 7, 8 |
| Data encryption | Provider offers encryption services (KMS, CloudHSM) | Customer configures and manages encryption of CHD | Req 3 |
| Logging | Provider generates and makes available platform logs (CloudTrail, etc.) | Customer enables, collects, retains, and reviews logs | Req 10 |
| Compliance evidence | Provider supplies compliance artifacts (AoC, penetration test abstracts) | Customer must produce evidence of customer-side controls | All requirements |
| KEY IDEA | A cloud provider's PCI DSS AoC covers only the infrastructure layer — not the workloads running on it. An AWS AoC that covers EC2, RDS, and S3 does not mean that an application running on those services is PCI DSS compliant. The customer must separately demonstrate compliance with all PCI DSS requirements applicable to their workloads, configurations, and data — using the cloud infrastructure as the foundation, not the certification. |
AWS PCI DSS — Compliant Services and Implementation
AWS PCI DSS Scope
AWS maintains a list of PCI DSS-in-scope services (currently 90+ services). Key services for Indonesian payment platforms: EC2 (compute), RDS (managed databases), S3 (storage, with S3 Object Lock for log retention), VPC (networking), CloudTrail (audit logging), CloudWatch (monitoring), AWS KMS (key management), AWS CloudHSM (hardware key management), Lambda (serverless), EKS (Kubernetes), AWS WAF, and IAM.
AWS Control Inheritance
When deploying a CDE on AWS, organizations inherit physical security, network layer security, and hypervisor security controls. Organizations must implement: VPC configuration with CDE isolation, security groups with CDE-specific rules, CloudTrail enabled for all regions and management events, KMS or CloudHSM for key management, IAM with MFA enforced for all CDE access, and RDS encryption at rest with customer-managed KMS keys.
Jakarta Region for Indonesian Data Residency
AWS ap-southeast-3 (Jakarta) is available for organizations requiring Indonesian data residency. Under UU PDP (Indonesia's Personal Data Protection Law), processing and storage of certain categories of personal data including payment data may be subject to data residency considerations. Deploying the CDE in AWS Jakarta region satisfies data residency requirements while maintaining PCI DSS-compliant infrastructure.
GCP PCI DSS Implementation
GCP PCI DSS-Compliant Services
GCP's PCI DSS scope includes: Compute Engine, Cloud SQL, Cloud Storage (with Object Retention), Cloud KMS, Cloud HSM, VPC, Cloud Logging, Cloud Monitoring, BigQuery (with column-level encryption), Kubernetes Engine (GKE), and Cloud IAM.
Jakarta Region (asia-southeast2)
GCP's asia-southeast2 region (Jakarta) provides Indonesian data residency for GCP-hosted CDEs. Organizations can configure Organization Policies to restrict resource creation to Indonesian regions, ensuring all CDE data remains within Indonesian jurisdiction. GCP's Cloud HSM in Jakarta provides FIPS 140-2 Level 3 key management locally.
Azure PCI DSS Implementation
Azure's PCI DSS-compliant services include: Virtual Machines, Azure SQL, Azure Storage (with Immutable Blob Storage for logs), Azure Key Vault, Azure Dedicated HSM, Virtual Networks, Azure Monitor, Microsoft Sentinel, and Azure Kubernetes Service (AKS). Microsoft Sentinel's built-in PCI DSS workbook provides pre-configured detection rules and compliance dashboards.
Multi-Cloud CDE Architecture Considerations
Indonesian payment platforms increasingly use multiple cloud providers — primary workloads on one cloud with disaster recovery or specific services on another. Multi-cloud PCI DSS compliance requires: consistent security controls across all cloud environments, unified identity management (not separate IAM silos), centralized logging aggregation from all cloud providers, and consistent network segmentation enforcement.
| IMPORTANT | Multi-cloud CDE architectures must be carefully scoped. If the DR environment in Cloud B can potentially access the production CDE in Cloud A (through replication, shared accounts, or network connectivity), Cloud B's environment is also in scope for PCI DSS. Ensure the DR environment is either isolated from the primary CDE (separate scope) or fully integrated into the compliance program (same scope). |
| Indonesian fintech companies building cloud-native payment platforms on AWS with the Jakarta region consistently achieve the cleanest PCI DSS scope definitions we see in our assessment practice. The combination of dedicated VPC for the CDE, Security Hub with the PCI DSS standard enabled, CloudTrail for audit logging, and AWS CloudHSM for key management provides a strong compliance foundation. The remaining work is almost entirely in governance (policies, procedures, evidence management) rather than technical controls. |