Understanding PCI Cloud Compliance on AWSPublished December 14, 2020 by Reciprocity • 6 min read
No matter where or how you sell your products — even in the cloud — if you accept debit card or credit card payments you must meet PCI DSS requirements.
The Payment Card Industry Data Security Standard ensures that payment card transactions are secure and that cardholder data is protected from breach and theft.
Administered by the PCI Security Standards Council (PCI SSC), a consortium of major credit card brands (Visa, Mastercard, Discover, American Express, and JCB), PCI DSS governs the security and privacy of payment card information whether payments occur on-premises at your place of business or online, in the public cloud.
PCI DSS compliance requires the protection of stored customer cardholder data (CHD). Merchants must protect cardholder data through security protections:
- Maintain secure network firewalls
- Encrypt data
- Create access controls
- Establish vulnerability management programs (such as an information security policy)
- Monitor networks with testing, such as penetration testing
If your e-commerce transactions occur in the cloud, you might feel tempted to leave it up to the cloud provider to secure the payment card data processed and stored there. Don’t succumb.
Cloud security entails a shared responsibility. A public cloud computing platform typically provides security only for the platform, not for the information stored there. The rest is up to you. A platform such as Amazon Web Services shares responsibility with you, the merchant, for securing customer data.
PCI DSS requirements for security controls cover the entire cardholder data environment (CDE), which includes the cloud environment. As the merchant selling the product or service, you are, ultimately, responsible for cardholder data protection, according to PCI requirements. Fortunately, PCI DSS and its Cloud Computing Guidelines are highly prescriptive, meaning they tell you exactly what to do to be PCI compliant.
What is the importance of PCI cloud compliance for service providers?
The PCI DSS Cloud Computing Guidelines define “cloud service provider” (CSP) as ” the entity providing the cloud service. It acquires and manages the infrastructure required for providing the services, runs the cloud software that provides the services, and delivers the cloud services through network access.”
PCI DSS requires that cloud providers whose environment is used for processing, storage, or transmittal of payment card data be PCI DSS compliant. However, it also holds you, the merchant using the platform, responsible for ensuring that the provider properly secures the cardholder data from your account. It’s also your duty to delineate which PCI DSS requirements are yours to meet, which the provider must meet, and which third parties such as payment gateways should meet.
Using definitions supplied by the National Institute for Standards and Technology (NIST), the guidelines define four different types of CSP, all of which should be PCI DSS-compliant if they are used for cardholder data:
- Public cloud: In this model, cloud services can be available to anyone; the CSP controls the environment. Public clouds have very broad boundaries, with few restrictions on access.
- Private cloud: One entity uses and controls the environment and its services. The organization or a third party may manage the private cloud, which may be located on- or off-premises. Only the entity’s customers have access.
- Community cloud: A group with shared requirements uses the services, and one or more of its members controls them. Community clouds limit participation in a group with shared objectives.
- Hybrid cloud: A composite of two or more clouds (private, community, or public) between which users can switch as needed, for greater flexibility.
Before using cloud services to process sales transactions, you should perform the following tasks, the guidelines state:
- Understand your risk and security requirements.
- Choose a deployment model that aligns with your and your industry’s security and risk requirements.
- Evaluate different service options.
- Know what you want from your provider.
- Compare providers and service offerings.
- Ask questions of the provider and verify the responses, including
- What does each service consist of, and how is the service delivered?
- What does the service providers with respect to security maintenance, PCI DSS compliance, segmentation, and assurance, and for what are you responsible?
- How will the Provider provide ongoing evidence that security controls continue to be in place and are kept up to date?
- What will the provider commit to in writing?
- Are other parties involved in the service delivery, security, or support?
- Document everything with your provider in written agreements – for example, Service Level Agreements (SLAs)/Terms of Service contracts.
- Request written assurances that security controls will be in place, and periodic verification (e.g., compliance reports) that controls continue to be maintained.
- Review the service and written agreements periodically to identify whether anything has changed.
AWS PCI Compliance
Although AWS offers one of the more secure cloud options, it remains vulnerable when businesses do not practice due diligence. For example, a company continues to be responsible for ensuring data encryption, limiting information volume transferred to the AWS cloud, detailing its compliance strategy, incorporating role-based access controls, and using multifactor authentication.
Despite the ability to transfer some risks to the service providers, the ultimate responsibility for information security rests on the organization hiring the vendor.
How does the Amazon Virtual Private Cloud (VPC) help protect data?
The Amazon VPC acts as a logically isolated segment within the AWS cloud. Virtualization allows a merchant to create a private network for cardholder storage, helping to meet the PCI DSS segmentation requirement.
Segmentation works to protect cardholder data from information security threats across the entire IT environment.
Imagine information as a jewelry collection. Costume jewelry may need no real protection and be left in public areas of a home. Sterling silver jewelry requires additional protection due to its value and may be stored in a private room. Gold jewelry requires an additional layer of protection based on its importance and may be hidden in a locked box within a private room. Finally, precious stones like diamonds may be removed from the home entirely, segmented into a private deposit box at a bank.
Segmenting information within your IT environment works similarly. Removing cardholder data, the most precious data, from your environment and securing it separately helps keep it safe.
How does the AWS VPC help protect information?
Segmentation not only means securing the CHD separately, but it also means incorporating additional protections. Unfortunately, security protections often integrate sending more information requests to a cloud services provider.
The first protection layer comes from using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect information. In short, computers talk to one another across the internet. The computer’s browser requests a certificate, the website responds with the certificate, and the browser allows access. Visitors, therefore, recognize this as an “official” website instead of malware/ransomware. Known as a TLS Handshake, the computers “talk” to one another by sending encrypted data back and forth.
In other words, imagine the homework assignments you had in elementary school. You had to solve math facts where each answer aligned to a letter. Those letters then allowed you to decode a sentence. A TLS Handshake works similarly. If the final “sentence” makes sense, the certificate is working.
However, this security layer involves a lot of data moving back and forth between computers which can slow down information transmission. Slower transmissions often mean angry customers.
How does elastic load balancing (ELB) help?
ELB speeds up networked processes by distributing requests across different servers.
To take the math worksheet example from above, assume a worksheet that has 100 letters in its message. One person decoding all 100 letters may take an hour. If you distribute that message to two people, you cut down the time a half hour. Spreading the work to four people speeds the decoding process to fifteen minutes. The more people you have decoding the message, the less time it takes.
The AWS VPC ELB works similarly. It allows additional encryption layers by spreading the requests across multiple servers speeding up information transmission times while adding more security to the data.
What is PCI compliance in AWS?
AWS is a simple cloud service allowing customers to personalize their use. The Amazon Elastic Compute Cloud (Amazon EC2) enables customers to create a cloud-based environment founded on their operating system. Using application programming interfaces (APIs) chosen by the customer, an organization can build a personalized set of services meeting its specific needs.
To ease the burden further, Amazon EC2 incorporates the Amazon Machine Image (AMI) which is a software configuration template. In other words, the AMI allows you to set up a virtual version of your computer.
Using the AMI, you can then run an “instance,” or a set of objects that allow you to do business. In the case of AWS, these objects may be things like a shopping cart or CHD such as customer name.
AMI allows multiple instances to run at once giving you the freedom to personalize the experience in AWS to match business needs.
Is AWS PCI DSS Compliant?
AWS lists on its “Services in Scope” page the services for which qualified security assessors (qsa) have provided certification and attestation of compliance (AOC). Currently, AWS offers more than 120 PCI DSS-compliant services.
How ZenGRC eases AWS PCI DSS compliance
ZenGRC’s SaaS platform provides you with a single location to store and access all your compliance documentation.
Many merchants and others using AWS need to comply with other regulations and industry standards in addition to PCI DSS. The AWS Service in Scope page also lists SOC, ISO, FedRAMP, and HIPAA attestations.
Your organization, therefore, may need to document multiple compliance attestations as part of your AWS cloud compliance. ZenGRC gives you a “single source of truth” repository in which to store all necessary documentation, proving due diligence over your third-party vendors. And Zen tracks compliance with all your frameworks at once, helping you to avoid duplicating tasks.
Worry-free compliance is the Zen way. For more information on using ZenGRC to meet your compliance requirements, schedule a demo today.