PCI Compliance on AWS: Physical Security Responsibilities for AWS
Complying with PCI Requirement 9 in AWS
PCI Requirement 9 is all about physical security and the requirements for restricting physical access to cardholder data. You might be wondering how this is requirement is applicable for an AWS environment. Physical security is one area where the AWS Shared Responsibility Model comes into play. AWS is responsible for protecting “security of the cloud” which includes the infrastructure of hardware, software, networking, and facilities that run AWS services. You can trust that AWS’ physical security controls are PCI compliant because AWS is certified as a PCI DSS Level 1 Service Provider.
Your responsibility, when it comes to PCI Requirement 9, is to obtain and review AWS’ Attestation of Compliance (AoC) at least annually. AWS’ PCI AoC and AWS PCI DSS Responsibility Summary are available to customers through AWS Artifact for on-demand access. To learn more about the compliance program at AWS, visit the documentation on AWS Services in Scope.
When you’re working through Requirement 9 for your PCI Data Security Standard assessment, you might question what the relevance of physical security requirements are if you are running your applications within an AWS environment. AWS has taken responsibility for physical security controls for the applications and resources that you have set up within your AWS account. This is communicated in your PCI Report on Compliance because AWS is considered one of your third parties. They do, potentially, have access to your environment and you will notice in their attestation of compliance that they are accepting responsibility for those requirements that are relevant to their physical security controls. They are responsible for who has visitor access or vendor access. They are responsible for video cameras to monitor their environment and the alarms that go into protecting the environment from physical intruders. All of that shifts to AWS.
Your responsibility, going through your PCI audit, is to request their PCI AoC. They will provide that to you through their compliance portal so that you can have a copy of that and provide that to your auditor in order to fulfill your compliance requirements. You are responsible for overseeing their compliance with the PCI requirements. You’ll want to ensure that you have an agreement with them that states that they are responsible for those requirements. You will want to be responsible for monitoring their compliance and understanding if there have been any changes to their environment. You’ll do that, primarily, through reviewing their PCI Attestation of Compliance on, at least, an annual basis. If you have any questions about interacting with AWS or any other third party who has responsibility for some of the PCI DSS controls, please contact us today. We’d be happy to walk you through that.