But but but but.....
What the fudge is source code used in a payment system doing on S3 in the first place? Thats even more stupid than committing your AWS keys to GitHub.
There should be a line in the PCI DSS spec that says using S3 for source code is an automatic certification withdrawal offence.