Understanding PCI Cloud Compliance on AWS

If your company processes credit or debit card transactions you likely are already familiar with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with these requirements is necessary to retain the right to process all the major credit card brands.

Some companies choose to process their transactions in the cloud by using companies like Amazon Web Services (AWS). Using a cloud-based cardholder data environment (CDE) has a number of benefits, including security. Cloud security entails a shared responsibility; a platform such as Amazon Web Services uses a shared responsibility model for securing customer data, which means that both parties are responsible for protecting sensitive data.

A public cloud computing platform typically provides security for the platform only, not for the information stored within the platform. If you’re using AWS services or another cloud environment to process your credit card transactions, it’s critical that you understand the PCI-DSS requirements and what your responsibilities are regarding the protection of customer data.

What Is PCI-DSS?

PCI DSS was created by the major credit card companies in 2004 with the intention of protecting your sensitive cardholder data. It is overseen by the Payment Card Industry Security Standards Council (PCI SSC). By holding all entities that process credit cards to the same standards, the PCI SSC tries to assure consistent service for consumers, regardless of the size and location of the companies whose services they use.

The means by which you prove your PCI compliance depends on the number of credit card transactions you perform annually. The PCI DSS divides companies into four levels; Level 1 companies have the highest volume of transactions, and Level 4 the least. Level 1 merchants have more stringent requirements and will need an external audit, but most companies will fall into the lower categories and be able to prove their compliance with a self-assessment questionnaire (SAQ).

What Are the Requirements for PCI-DSS Compliance?

Broadly speaking, there are 12 main PCI requirements:

1. Use firewalls for data protection.
2. Avoid using default passwords and other generic security measures.
3. All stored cardholder data must be protected.
4. Transmission of cardholder data must be encrypted.
5. Antivirus software should be used and updated regularly.
6. All systems and applications used to process customer data should be secure and properly maintained.
7. Cardholder data access should be restricted on a need-to-know basis.
8. Each staff member with access to data should have a unique ID.
9. Physical access to cardholder data should be restricted.
10. Access to cardholder data should be tracked and monitored.
11. Security systems should be tested regularly.
12. Create and maintain appropriate information security policies.

These requirements are all further divided into 281 sub-directives, which may or may not apply to your organization depending on how your credit cards are processed. This means that a company using an AWS account to process its transactions will be subject to different requirements than, say, a brick and mortar store which only processes cards in person.

Why Do Service Providers Require PCI Compliance?

The PCI DSS Cloud Computing Guidelines define “cloud service provider” (CSP) as “the entity providing the cloud service. It acquires and manages the infrastructure required for providing the services, runs the cloud software that provides the services, and delivers the cloud services through network access.”

PCI DSS requires that cloud providers whose environment is used for processing, storage, or transmission of payment card data be PCI DSS compliant. The standard also holds you, the merchant using the platform, responsible for assuring that the provider properly secures the cardholder data from your account. It’s also your duty to delineate which PCI DSS standards are yours to meet, which the provider must meet, and which ones third parties such as payment gateways should meet.

Using definitions supplied by the National Institute for Standards and Technology (NIST), the guidelines define four different types of CSP, all of which should be PCI DSS-compliant if they are used for cardholder data:

• Public cloud. In this model, cloud services can be available to anyone; the CSP controls the environment. Public networks have broad boundaries, with few restrictions on access.
• Private cloud. One entity uses and controls the environment and its services. The organization or a third party may manage the private cloud, which may be located on- or off-premises. Only the entity’s customers have access.
• Community cloud. A group with shared requirements uses the services, and one or more of its members controls them. Community clouds limit participation in a group with shared objectives.
• Hybrid cloud. A composite of two or more clouds (private, community, or public) that users can switch through as needed, for greater flexibility.

Before using cloud services to process sales transactions, the PCI guidelines state that you should perform the following tasks:

• Understand your risk and security requirements.
• Choose a deployment model that aligns with your and your industry’s security and risk requirements.
• Evaluate different service options.
• Know what you want from your provider.
• Compare providers and service offerings.
• Ask questions of the provider and verify the responses, including:
  • What does each service consist of, and how is the service delivered?
  • What do the service providers do for security maintenance, PCI DSS compliance, segmentation, and assurance; and for what are you responsible?
  • How will the CSP provide ongoing evidence that security controls continue to be in place and are kept up to date?
  • What will the provider commit to in writing?
  • Are other parties involved in the service delivery, security, or support?
• Document everything with your provider in written agreements – for example, Service Level Agreements (SLAs)/Terms of Service contracts.
• Request written assurances that security controls will be in place, and conduct periodic verification (such as compliance reports) that controls continue to be maintained.
• Review the service and written agreements periodically to identify whether anything has changed.

What Is AWS PCI Compliance?

Although AWS security is stronger than many alternatives, it remains vulnerable when businesses don’t practice due diligence. Many AWS resources are available to users, but certain security aspects will fall to the user. For example, a company continues to be responsible for assuring data encryption, limiting information volume transferred to the AWS cloud, detailing its compliance strategy, incorporating role-based access controls, and using multi-factor authentication.

Despite the ability to transfer some risks to the service providers, the ultimate responsibility for information security rests on the organization hiring the vendor.

How does the Amazon Virtual Private Cloud (VPC) help protect data?

The Amazon VPC acts as a logically isolated segment within the AWS cloud. Virtualization allows a merchant to create a private network for cardholder storage, helping to meet the PCI DSS segmentation requirement.

Segmentation works to protect cardholder data from information security threats across the entire IT environment.

Imagine information as a jewelry collection. Costume jewelry may need no real protection and be left in public areas of a home. Sterling silver jewelry requires additional protection due to its value and may be stored in a private room. Gold jewelry requires an additional layer of protection based on its importance and may be hidden in a locked box within a private room. Finally, precious stones like diamonds may be removed from the home entirely, segmented into a private deposit box at a bank.

Segmenting information within your IT environment works similarly. Removing cardholder data, the most precious data, from your environment and securing it separately helps keep it safe.

How does the AWS VPC help protect information?

Segmentation not only means securing cardholder data separately; it also means incorporating additional protections. Unfortunately, security protections often integrate sending more information requests to a cloud services provider.

The first protection layer comes from using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect information. In short, computers talk to one another across the internet. The computer’s browser requests a security certificate, the website responds with the certificate, and the browser allows access. That’s how visitors recognize an “official” website instead of malware/ransomware. Known as a TLS Handshake, the computers “talk” to one another by sending encrypted data back and forth.

Another way to describe it: imagine a school homework assignment where the answers to math problems aligned to a letter; those letters then allowed you to decode a sentence. A TLS Handshake works similarly. If the final “sentence” makes sense, the certificate is working.

That said, this security layer involves a lot of data moving back and forth between computers. That can slow down information transmission. Slower transmissions often mean angry customers.

How does elastic load balancing (ELB) help?

ELB speeds up networked processes by distributing requests across different servers.

To take the math worksheet example from above, assume a worksheet that has 100 letters in its message. One person decoding all 100 letters may take an hour. If you distribute that message to two people, you cut down the time by a half-hour. Spreading the work to four people speeds the decoding process to 15 minutes. The more people you have decoding the message, the less time it takes.

The AWS VPC ELB works similarly. It allows additional encryption layers by spreading the requests across multiple servers speeding up information transmission times while adding more security to the data.

What Is PCI compliance in AWS?

AWS is a cloud service allowing customers to personalize their use of the service. The Amazon Elastic Compute Cloud (Amazon EC2) enables customers to create a cloud-based environment founded on their operating system. Using application programming interfaces (APIs) chosen by the customer, an organization can build a personalized set of services meeting its specific needs.

To ease the burden further, Amazon EC2 incorporates the Amazon Machine Image (AMI) which is a software configuration template. In other words, the AMI allows you to set up a virtual version of your computer.

Using the AMI, you can then process an “instance,” or a set of objects that allow you to do business. In the case of AWS, these objects may be things like a shopping cart or cardholder data such as a customer name.

AMI allows multiple instances to run at once, giving you the freedom to personalize the experience in AWS to match business needs.

Is AWS PCI DSS Compliant?

Yes. AWS lists on its “Services in Scope” page the services for which qualified security assessors (QSA) have provided certification and attestation of compliance (AOC).

Currently, AWS offers more than 120 PCI DSS-compliant services. Remember, however, that AWS customers are not automatically in compliance with PCI DSS. AWS only ensures that the portions of your operations that take place within AWS are compliant.

Manage PCI Compliance With ZenGRC

PCI DSS compliance can be a daunting task. Creating the appropriate controls and documenting their use is challenging, especially if you’re still using outdated methods to track your company’s risk management efforts. To provide the best security for your customers, you need a risk management solution designed to organize and streamline the compliance process.

ZenGRC is an innovative software that automates and integrates your compliance, making it easy to track risk throughout your entire organization. It also provides transparency for your staff, board members, and auditors so that everyone remains on the same page.

Schedule a demo today to learn how ZenGRC can help your company achieve PCI compliance.