ZenGRC

Simply Powerful GRC

Understanding PCI Cloud Compliance on AWS

· ·

If your company processes credit or debit card transactions you likely are already familiar with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with these requirements is necessary to retain the right to process all the major credit card brands.

Some companies process their transactions in the cloud using companies like Amazon Web Services (AWS). Using a cloud-based Cardholder Data Environment (CDE) has several benefits, including security. Cloud security entails a shared responsibility; a platform such as Amazon Web Services (AWS) uses a shared responsibility model for securing customer data, meaning both parties are responsible for protecting sensitive data.

A public cloud computing platform typically provides security for the platform only, not for the information stored within the platform. Suppose you use AWS services or another cloud environment to process your credit card transactions. In that case, you must understand the PCI-DSS requirements and your responsibilities regarding protecting customer data.

What Is PCI-DSS?

Major credit card companies in 2004 created the PCI DSS standards to protect sensitive cardholder data. It is overseen by the Payment Card Industry Security Standards Council (PCI SSC). By holding all entities that process credit cards to the same standards, the PCI SSC tries to assure consistent service for consumers, regardless of the size and location of the companies whose services they use.

How you prove your PCI compliance depends on how many credit card transactions you perform annually. The PCI DSS divides companies into four levels: Level 1 companies have the highest volume of transactions, and Level 4 has the least. Level 1 merchants have more stringent requirements and will need an external audit. Still, most companies will fall into the lower categories and be able to prove their compliance with a Self-Assessment Questionnaire (SAQ).

What Are the Requirements for PCI-DSS Compliance?

Broadly speaking, there are 12 main PCI requirements:

  1. Use firewalls for data protection.
  2. Avoid using default passwords and other generic security measures.
  3. All stored cardholder data must be protected.
  4. Transmission of cardholder data must be encrypted.
  5. Antivirus software should be used and updated regularly.
  6. All systems and applications processing customer data should be secure and properly maintained.
  7. Cardholder data access should be restricted on a need-to-know basis.
  8. Each staff member with access to data should have a unique ID.
  9. Physical access to cardholder data should be banned.
  10. Access to cardholder data should be tracked and monitored.
  11. Security systems should be tested regularly.
  12. Create and maintain appropriate information security policies.

These requirements are divided into 281 sub-directives, which may or may not apply to your organization depending on how your credit cards are processed. A company using an AWS account to process its transactions will be subject to different requirements than a brick-and-mortar store that only processes cards in person.

Why Do Service Providers Require PCI Compliance?

The PCI DSS Cloud Computing Guidelines define “Cloud Service Provider” (CSP) as “the entity providing the cloud service. It acquires and manages the infrastructure required for providing the services, runs the cloud software that provides the services, and delivers the cloud services through network access.”

PCI DSS requires that cloud providers whose environment is used for processing, storing, or transmitting payment card data be PCI DSS compliant. The standard also holds you, the platform merchant, responsible for assuring that the provider properly secures the cardholder data from your account. You also must delineate which PCI DSS standards are yours to meet, which the provider must meet, and which one’s third parties, such as payment gateways, should meet.

Using definitions supplied by the National Institute for Standards and Technology (NIST), the guidelines define four different types of CSP, all of which should be PCI DSS-compliant if they are used for cardholder data:

  • Public cloud. In this model, cloud services can be available to anyone; the CSP controls the environment. Public networks have broad boundaries with few restrictions on access.
  • Private cloud. One entity uses and controls the environment and its services. The organization or a third party may manage the private cloud, which may be on- or off-premises. Only the entity’s customers have access.
  • Community cloud. A group with shared requirements uses the services; one or more members control them. Community clouds limit participation in a group with shared objectives.
  • Hybrid cloud. A composite of two or more clouds (private, community, or public) that users can switch through as needed for greater flexibility.

Before using cloud services to process sales transactions, the PCI guidelines state that you should perform the following tasks:

  • Understand your risk and security requirements.
  • Choose a deployment model that aligns with your and your industry’s security and risk requirements.
  • Evaluate different service options.
  • Know what you want from your provider.
  • Compare providers and service offerings.
  • Ask questions of the provider and verify the responses, including:
    • What does each service consist of, and how is the service delivered?
    • What do the service providers do for security maintenance, PCI DSS compliance, segmentation, and assurance, and for what are you responsible?
    • How will the CSP provide ongoing evidence that security controls remain in place and are kept up to date?
    • What will the provider commit to in writing?
    • Are other parties involved in the service delivery, security, or support?
  • Document everything with your provider in written agreements – Service Level Agreements (SLAs)/Terms of Service contracts.
  • Request written assurances that security controls will be in place and conduct periodic verification (such as compliance reports) that controls remain maintained.
  • Review the service and written agreements periodically to identify whether anything has changed.

What Is AWS PCI Compliance?

Although AWS security is stronger than many alternatives, it remains vulnerable when businesses need to practice due diligence. Many AWS resources are available to users, but certain security aspects will fall to the user. For example, a company is responsible for assuring data encryption, limiting information volume transferred to the AWS cloud, detailing its compliance strategy, incorporating role-based access controls, and using multi-factor authentication.

Despite the ability to transfer some risks to the service providers, the ultimate responsibility for information security rests on the organization hiring the vendor.

How Does the Amazon Virtual Private Cloud (VPC) Help Protect Data?

The Amazon VPC acts as a logically isolated segment within the AWS cloud. Virtualization allows a merchant to create a private cardholder storage network, helping meet the PCI DSS segmentation requirement.

Segmentation works to protect cardholder data from information security threats across the entire IT environment.

Imagine information as a jewelry collection. Costume jewelry may need no absolute protection and be left in public areas of a home. Sterling silver jewelry requires additional protection due to its value and may be stored in a private room. Gold jewelry requires an extra layer of security based on its importance and may be hidden in a locked box within a private room. Finally, precious stones like diamonds may be removed from the home entirely and segmented into a private deposit box at a bank.

Segmenting information within your IT environment works similarly. Removing the most precious cardholder data from your environment and securing it helps keep it safe.

How Does the AWS VPC Help Protect Information?

Segmentation not only means securing cardholder data separately; it also means incorporating additional protections. Unfortunately, security protections often integrate sending more information requests to a cloud services provider.

The first protection layer uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect information. In short, computers talk to one another across the internet. The computer’s browser requests a security certificate, the website responds with the certificate, and the browser allows access. That’s how visitors recognize an “official” website instead of malware/ransomware. Known as a TLS Handshake, the computers “talk” to one another by sending encrypted data back and forth.

Another way to describe it: imagine a school homework assignment where the answers to math problems aligned to a letter; those letters then allowed you to decode a sentence. A TLS Handshake works similarly. If the final “sentence” makes sense, the certificate is working.

That said, this security layer involves a lot of data moving back and forth between computers. That can slow down information transmission. Slower transmissions often mean angry customers.

How Does Elastic Load Balancing (ELB) Help?

ELB speeds up networked processes by distributing requests across different servers.

To take the math worksheet example above, assume a worksheet with 100 letters in its message. One person decoding all 100 letters may take an hour. If you distribute that message to two people, you cut down the time by a half-hour. Spreading the work to four people speeds up decoding to 15 minutes. The more people you have decoding the message, the less time it takes.

The AWS VPC ELB works similarly. It allows additional encryption layers by spreading the requests across multiple servers, speeding up information transmission times, and adding more data security.

What Is PCI Compliance in AWS?

AWS is a cloud service that allows customers to personalize their service use. The Amazon Elastic Compute Cloud (Amazon EC2) enables customers to create a cloud-based environment founded on their operating system. Using Application Programming Interfaces (APIs) the customer chooses, an organization can build a personalized set of services meeting its specific needs.

To ease the burden further, Amazon EC2 incorporates the Amazon Machine Image (AMI), a software configuration template. In other words, the AMI allows you to set up a virtual version of your computer.

Using the AMI, you can process an “instance” or a set of objects that allow you to do business. In the case of AWS, these objects may be things like a shopping cart or cardholder data such as a customer name.

AMI allows multiple instances to run simultaneously, allowing you to personalize the experience in AWS to match business needs.

Is AWS PCI DSS Compliant?

Yes. AWS lists on its “Services in Scope” page the services for which qualified Security Assessors (QSA) have provided certification and Attestation of Compliance (AOC).

Currently, AWS offers more than 120 PCI DSS-compliant services. However, remember that AWS customers are not automatically compliant with PCI DSS. AWS only ensures that the portions of your operations within AWS are compliant.

AWS PCI Compliance Checklist

When it comes to ensuring PCI DSS compliance within the AWS environment, there are several key considerations and steps to follow. This checklist will guide you through the process, ensuring your AWS security measures align with the requirements of PCI DSS.

1. AWS Account Setup:

  • Ensure your AWS account has the necessary permissions and access controls. Use AWS Identity and Access Management (IAM) to manage user access and permissions.
  • Activate AWS CloudTrail and AWS Config to log and monitor AWS services.

2. Data Protection:

  • Use AWS RDS and EBS to store sensitive data, ensuring that cardholder data is encrypted.
  • Implement SSL/TLS for data transmission.
  • Utilize key management services for encryption key storage and management.

3. Network Security:

  • Set up VPC to create an isolated AWS network environment.
  • Implement security groups and network ACLs for inbound and outbound traffic control.
  • Use firewall solutions to protect against unauthorized access.
  • Ensure load balancing with AWS ELB to distribute incoming traffic across multiple targets.

4. Monitoring and Defense:

  • Activate AWS GuardDuty for continuous monitoring and threat detection.
  • Implement AWS Security Hub to view your security alerts and posture comprehensively.
  • Use AWS CloudWatch for monitoring AWS resources and applications.
  • Ensure anti-virus software is in place and regularly updated.
  • Activate AWS WAF for protection against web exploits.

5. Access Control:

  • Implement multi-factor authentication for added security.
  • Restrict physical access to AWS resources.
  • Ensure user access is based on the principle of least privilege.

6. Security Maintenance:

  • Regularly apply security patches to all systems.
  • Conduct vulnerability scanning and penetration testing to identify potential weaknesses.
  • Use AWS Security Groups to define inbound and outbound traffic rules.

7. Documentation and Verification:

  • Maintain an information security policy that aligns with PCI DSS standards.
  • Work with a Qualified Security Assessor (QSA) to verify your AWS PCI compliance.
  • Obtain an Attestation of Compliance (AOC) after a successful audit.

8. Additional Considerations:

  • Understand the shared responsibility model of AWS, especially when using AWS services in a cardholder data environment.
  • Familiarize yourself with the FAQ section of AWS for any specific queries related to PCI requirements.
  • Ensure that any API calls are secure and authenticated.
  • Regularly review and update IAM roles, permissions, and templates.
  • Monitor for malware and ensure systems are protected against it.

9. Service Provider Responsibilities:

  • If you’re a service provider, understand your role in the PCI DSS compliance process. As a cloud service provider, AWS ensures that its portion of the workload in the AWS environment is PCI DSS compliant. However, the responsibility for ensuring applications, workloads, and data within AWS are compliant falls on the user.
  • Familiarize yourself with the various AWS services, such as AWS CloudTrail, AWS Config, and others, that can help automate security controls and streamline the compliance process.

10. Payment Card Brands:

  • Be aware of the specific requirements of major credit card brands like Visa and Discover. Each may have nuances in their PCI requirements.

You’ll achieve and maintain PCI compliance by following this checklist and ensuring that each point is addressed within your AWS environment. Remember, while AWS provides many tools and services to assist with compliance, the ultimate responsibility lies with the user to ensure that their specific workloads, data, and applications are PCI DSS compliant.

FAQs About PCI Cloud Compliance & AWS

How do you comply with PCI DSS?

PCI DSS compliance strategy revolves around achieving six specific security goals in line with the Payment Card Industry Data Security Standard. These objectives are designed to provide robust protection for cardholder data:

  1. Build a Secure Network and Systems
  2. Protect the Cardholder’s Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

How Many Compliance Requirements Does PCI DSS Have?

PCI DSS consists of a total of 12 main compliance requirements. These requirements are to enhance cardholder data security and protect against data breaches. Each requirement is divided into sub-requirements and controls, totaling more than 280 individual directives in the standard. 

Manage PCI Compliance With ZenGRC

PCI DSS compliance can be a daunting task. Creating the appropriate controls and documenting their use is challenging, mainly if you still use outdated methods to track your company’s risk management efforts. To provide the best security for your customers, you need a risk management solution designed to organize and streamline the compliance process.

ZenGRC is an innovative software that automates and integrates your compliance, making tracking risk throughout your organization easy. It also provides transparency for your staff, board members, and auditors so everyone remains on the same page.

Schedule a demo today to learn how ZenGRC can help your company achieve PCI compliance.