Should we operate a separate data environment with special access to production resources?

Yes, we recommend provisioning an additional AWS account for data processing and analytics.

Question

Should we consider operating a separate data environment that is granted special access to production resources?

Answer

Yes, we recommend provisioning an additional AWS account for data processing and analytics. Ideally, some kind of ETL process scrubs the data before shipping it to a non-cardholder data environment (CDE).