How to Achieve PCI Compliance on AWS

Published March 22, 2018 by 5 min read

As the retail sector increasingly relies on technology for capturing purchase information, merchants selling through Amazon need to meet the Payment Card Industry Data Security Standard (PCI DSS). Administered by the PCI Security Standards Council, PCI DSS compliance offers customers assurance regarding the protection of their information. Prosperous Amazon merchants protect cardholder data using Amazon Web Services (AWS) services and the AWS cloud.

AWS PCI Compliance

What Is the PCI Security Standards Council?

The PCI Security Standards Council (PCI SSC) consists of credit card service providers such as Mastercard and Visa. The PCI SSC wrote over 100 pages of detailed data security standard making it difficult for small businesses to comprehend the complexities needed to ensure compliance.

What Does PCI DSS Compliance Entail?

PCI DSS compliance requires protection of stored customer cardholder data (CHD). Merchants must protect cardholder data through security protections that include, but are not limited to, maintaining secure network firewalls, encrypting data, creating access controls, establishing vulnerability management programs (such as an information security policy), and monitoring networks with testing.

In some cases, however, merchants can transfer risks using third parties.

What Is A Designated Entity?

PCI CSS defines a Designated Entity as an organization that an Acquirer or Payment Brand determines requires additional validation to the PCS DSS requirements.

In other words, when merchants outsource cardholder data storage third-party applications or service providers, PCI SSC bases its definition of “Designated Entity” on the risk the entity poses in conjunction with the volume of stored data, connections to the original vendor, previous breaches, and other similarly situated risk factors.

Why Does It Matter that AWS Services Is PCI DSS Compliant?

Technically, AWS as a Cloud Service Provider (CSP) does not need to be compliant since it does not store, transmit, or process any CHD.

However, in April 2016, PCI SSC announced the PCI DSS 3.2 update. This update suggested early adoption intended to help prevent, detect, and respond to cyberattacks.

Although the AWS offers one of the more secure cloud options, it remains vulnerable when businesses do not incorporate due diligence. For example, a company continues to be responsible for ensuring data encryption, limiting information volume transferred to the AWS cloud, detailing its compliance strategy, incorporating role-based access controls, and using multifactor authentication.

Despite the ability to transfer some risks to the service providers, ultimate responsibility for information security rests on the organization hiring the vendor.

How Does the Amazon Virtual Private Cloud (VPC) Help Protect Data?

The Amazon VPC acts as a logically isolated segment within the AWS cloud. In less technical words, this allows a merchant to create a private network for cardholder storage helping to meet the PCI DSS segmentation requirement.

Segmentation works to protect cardholder data from information security threats across the entire IT environment.

Imagine information as a jewelry collection. Costume jewelry may need no real protection and be left in public areas of a home. Sterling silver jewelry requires additional protection due to its value and may be stored in a private room. Gold jewelry requires an additional layer of protection based on its importance and may be hidden in a locked box within a private room. Finally, precious stones like diamonds may be removed from the home entirely, segmented into a private deposit box at a bank.

Segmenting information within your IT environment works similarly. Removing cardholder data, the most precious data, from your environment and securing it separately helps keep it safe.

How Does the AWS VPC Help Protect Information?

Segmentation not only means securing the CHD separately, but it also means incorporating additional protections. Unfortunately, security protections often integrate sending more information requests to a cloud services provider.

The first protection layer comes from using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect information. In short, computers talk to one another across the internet. The computer’s browser requests a certificate, the website responds with the certificate, and the browser allows access. Visitors, therefore, recognize this as an “official” website instead of malware/ransomware. Known as a TLS Handshake, the computers “talk” to one another by sending encrypted data back and forth.

In other words, imagine the homework assignments you had in elementary school. You had to solve math facts where each answer aligned to a letter. Those letters then allowed you to decode a sentence. A TLS Handshake works similarly. If the final “sentence” makes sense, the certificate is working.

However, this security layer involves a lot of data moving back and forth between computers which can slow down information transmission. Slower transmissions often mean angry customers.

How Does Elastic Load Balancing (ELB) Help?

ELB speeds up networked processes by distributing requests across different servers.

To take the math worksheet example from above, assume a worksheet that has 100 letters in its message. One person decoding all 100 letters may take an hour. If you distribute that message to two people, you cut down the time a half hour. Spreading the work to four people speeds the decoding process to fifteen minutes. The more people you have decoding the message, the less time it takes.

The AWS VPC ELB works similarly. It allows additional encryption layers by spreading the requests across multiple servers speeding up information transmission times while adding more security to the data.

How Can a Company Incorporate AWS Services?

AWS is a simple cloud service allowing customers to personalize their usage. The Amazon Elastic Compute Cloud (Amazon EC2) enables customers to create a cloud-based environment founded on their operating system. Using application programming interfaces (APIs) chosen by the customer, an organization can build a personalized set of services meeting its specific needs.

To ease the burden further, Amazon EC2 incorporates the Amazon Machine Image (AMI) which is a software configuration template. In other words, the AMI allows you to set up a virtual version of your computer.

Using the AMI, you can then run an “instance,” or a set of objects that allow you to do business. In the case of AWS, these objects may be things like a shopping cart or CHD such as customer name.

AMI allows multiple instances to run at once giving you the freedom to personalize the experience in AWS to match business needs.

Is AWS PCI DSS Compliant?

AWS lists on its “Services in Scope” page the services a third party auditor assessed providing certification and attestation of compliance. Currently, AWS offer 58 PCI DSS compliant services, including AWS CloudTrail and AWS SageMaker.

How ZenGRC Eases the AWS PCI DSS Compliance Burden

AWS provides customers with “AWS 2016 PCI DSS 3.2 REsponsibility Summary” as part of its on-request AWS PCI DSS Compliance Package. For those customers using the AWS Artifact self-service portal, the compliance reports that include the AWS Attestation of Compliance.

ZenGRC’s SaaS platform provides customers with a single location to store and access all compliance information. Compliance across standards affects merchants and others using AWS. The AWS Service in Scope page also lists SOC, ISO, FedRAMP, and HIPAA attestations. Your organization, therefore, may need to document multiple compliance attestations as part of your AWS cloud compliance. ZenGRC gives you a single source of truth to store all necessary documentation proving due diligence over your third-party vendors.

For more information on using ZenGRC to aid your vendor management compliance requirements, schedule a demo today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo