EC2 is a service provided by Amazon where you can rent cloud servers (virtual servers) at relatively low cost. They have now clearly stated in an email exchange that you can set up these servers to become PCI compliant. This confirms my research on this topic - and is good news if you have to set up a PCI compliant environment. You can NOT become PCI "Level 1" compliant on EC2 servers - but that is only required for merchants who do more than 6 million transactions per year. While we probably all wish that was us, the reality is different, and only very few companies have to meet level 1 compliance. For the rest of us this means we can become PCI compliant on EC2 servers at very low cost. If you don't know what EC2 is, Google will answer this for you. The email exchange is here: [developer.amazonwebservices.com...] It clearly states Level 1 is out, because they won't let anyone visit their database centres - but Level 2 and below are ok. Their data centre and virtual servers meet all PCI requirements and you can set up all your servers and firewalls to meet PCI requirements as per PCI questionnaires. However you still have to set up your servers and logging and intrusion control and so on to meet PCI regulations, of course. Nevertheless if you need PCI, this is another option you can look at. If you use open source solutions Ossec and Snort (ask Google) for logging and intrusion control, PCI compliance doesn't have to be hugely expensive.
will this affect the "ecommerce friendliness" of EC2 as it relates to ssl? we had looked at EC2 last year but backed away because of problems with ssl - if i recall, we needed to have a separate ssl for each virtual server - we operate lots of sites, so it didn't work... (they did have a ucc ssl option but it only works with windows...)