What is AWS PCI Compliance?

A Definition of AWS PCI Compliance, Benefits, Requirements, and More

If your organization processes credit or debit card payments, PCI compliance is essential. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Standards. In this post, I’m going to walk you through what you need to know about AWS PCI compliance to ensure compliance in the cloud.

What are the Benefits of AWS PCI Compliance?

AWS PCI Compliance is an Amazon Web Service (AWS) that is Payment Card Industry (PCI) compliant. PCI applies to all companies that process, transmit, or store cardholder (or sensitive) data of service providers, merchants, processors, or issuers.

Since AWS is PCI DSS compliant, it means that any organization that uses AWS products and services to process, transmit, or store cardholder data may depend on the technology infrastructure of AWS to acquire and manage their PCI certification.

What are the PCI DSS Requirements?

The primary twelve requirements for PCI DSS can be broadly classified under these six areas:

  1. Construct and Maintain a Secure Network: This entails using a firewall to protect data without the use of vendor-supplied security protocols.
  2. Protect Cardholder Data: Protection of sensitive data is enabled through encryption in public networks.
  3. Maintain a Vulnerability Management Program: Vulnerability of the data network is reduced by installing antivirus software or programs to protect all systems against malware.
  4. Implement Strong Access Control Measures: Access control is implemented by restricting access to cardholder data and by incorporating identity authentication before access to system components.
  5. Monitor and Test Networks Regularly: Access must be tracked and monitored on all network resources, and regular security system checks must be conducted.
  6. Maintain an Information Security Policy: A reference policy must document the steps and procedures that need to be followed by all personnel handling secure data.

How Do Companies Comply With PCI DSS?

Different companies may take different approaches to obtain and renew their PCI DSS compliance annually. The Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data, and is best suited for small merchants and service providers. Companies with a larger transaction volume might appoint an external Qualified Security Assessor (QSA) to access their systems and subsequently create a Report on Compliance (ROC) and Attestation of Compliance (AOC).

Which AWS Services are PCI DSS Compliant?

AWS offers PCI DSS compliant services, which gives organizations more service options, functionality, and flexibility to store and process sensitive cardholder data. These services are audited by Coalfire, providing companies with securely monitored and up-to-date testing. A complete list of the AWS PCI DSS compliant services is available here.

How Does AWS Work?

AWS is a PCI-compliant Level 1 Service Provider. Thus, companies can use AWS, but in the context of a shared responsibility model. This means that AWS customers share the responsibility for PCI compliance. Since AWS is a PCI-compliant service provider, organizations using AWS do not need to assess AWS infrastructure. An assessor can validate the compliance of the AWS infrastructure simply by reviewing AWS’s Attestation of Compliance (AOC) and Responsibility Matrix documents.

AWS offers various compliance aids, including the following:

Compliance Enablers

  • Amazon Guard Duty: This is a managed threat detection service that detects, monitors, and reports malicious or unauthorized activity or an instance where there is a possible account compromise. It does not have any upfront cost, and customers pay only for the events analyzed by Guard Duty.
  • AWS Artifact: AWS Artifact is an audit and compliance portal that allows access to AWS compliance reports such as Service Organization Control (SOC) reports, PCI reports, and other certification from accredited bodies. It also provides access to agreements such as Business Associate Addendum (BAA) and the Non Disclosure Agreement (NDA).
  • Amazon Inspector: Amazon Inspector operates on a set of knowledge-based rules that are mapped by definitions of vulnerability and security best practices. It is an automated service that runs on applications that are deployed on AWS and detects whether they are vulnerable to a security breach. Amazon Inspector then produces a report detailing a list of security findings prioritized by level of severity.

Compliance Workbook

The Compliance Workbook details the AWS service techniques and methodologies for effectively deploying PCI compliance capabilities. It basically provides three sample reference architectures that detail the most commonly used PCI-compliant environments:

  • Dedicated: An architecture that is independent (i.e., not connected to anything else)
  • Segmented: An AWS architecture that uses Card Data Environment (CDE) and other in-scope systems
  • Connected: An environment that integrates on-premises items with AWS

Compliance Programs

Featured compliance services offered by AWS include a series of Quick Starts. The PCI Standardized Architecture on the AWS Cloud is one such Quick Start and second in a set of AWS Compliance offerings. This Quick Start outlines how to deploy an environment that helps companies come on board with PCI DSS compliance with ease. It includes AWS Cloud Formation templates that configure the environment, automate the deployment, and provide security controls and step-by-step instruction guides.

Final Words . . .

Organizations need layered defenses — they cannot rely solely on AWS for security. While AWS is PCI-compliant, that doesn’t negate the need for companies to take their own security measures to protect sensitive data. However, a PCI-compliant cloud is an essential foundation for ensuring compliance.

If you’re interested in learning how the Threat Stack Cloud Security Platform® can strengthen your organization’s security posture and help you meet PCI requirements as well as those of other regulatory frameworks, contact us for a demo.