PCI Compliance on AWS: Physical Security Responsibilities for AWS Users
Evaluating Your CHD Scope in AWS
While it’s true that AWS is responsible for the physical security of the cloud (like includes the infrastructure of hardware, software, networking, and facilities that run AWS services), as an AWS customer, you must evaluate the physical nature of your PCI scope. Are your employees accessing your AWS environment from an office location, from their home Internet through a VPN, or from a public place (a hotel, an airport, a coffee shop) over public Internet? What IT services or third parties are connected to your AWS environment? You must evaluate your processes for accessing data in the cloud, because it may reveal new in-scope systems. Physical security responsibilities aren’t black-and-white – they often bleed between AWS and the customer.
Your responsibility, when it comes to PCI Requirement 9, is to obtain and review AWS’ PCI Attestation of Compliance (AoC) at least annually. AWS’ PCI AoC and AWS PCI DSS Responsibility Summary are available to customers through AWS Artifact. Reviewing this PCI AoC, then performing your own scoping assessment will ensure that you have an appropriate scope for your CHD environment in AWS.
As you work through Requirement 9 in the PCI Data Security Standard, you may think that because AWS is responsible for the physical security requirements of the infrastructure and the hosting environment where you have your applications and resources, checking in on AWS’ compliance is all that you have to do. We hear the comment all the time, “Well, all of our cardholder data environment is located in the cloud, so therefore, those are the only physical security requirements that we have to be concerned with.” That’s just simply not true.
You have to think about where your people are located who are accessing the AWS environment. You have to think about the processes that you are engaged in. Maybe you have a chargeback process that is occurring somewhere else or you have other steps that you go through in supporting your customers and handling their data that is outside of the cloud. You do have to evaluate those things and understand where the scope leads you in terms of your PCI cardholder data environment. In many cases, it does bleed outside of AWS’s responsibilities, so it’s very important that you take responsibility for that and understand where the risk lies. Not only should you evaluate AWS’s attestation of compliance, but you should take a careful look at your scope and think about what it is that does or does not remove your office from scope or your employee’s home or your employee when they’re traveling, their laptops, any other systems that are connected to administrative systems that are providing IT or other support services. It could be very true that the physical security requirements in PCI Requirement 9 should apply to some of your local experiences that you have within your organization.