The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard merchants and service providers must comply with if they store, process, or transmit cardholder data. PCI DSS includes over 400 information security requirements, including requirements that apply to cloud infrastructure such as Amazon Web Services (AWS).
Organizations that use AWS to store and process credit card data must ensure their cloud infrastructure is compliant. But maintaining AWS PCI-compliance is not as simple as uploading sensitive data to a cloud service that has been audited and declared PCI compliant. As Amazon puts it, “It is the customer’s responsibility to maintain their PCI DSS cardholder data environment (CDE) and scope, and be able to demonstrate compliance of all controls.”
In this article, we examine what AWS PCI compliance means and how companies store and process data on AWS while maintaining PCI DSS compliance.
Which Data is Covered by PCI DSS?
Cardholder data is any personally identifiable information associated with a credit cardholder or their account. It includes:
- The Primary Account Number (PAN)
- Cardholder names
- Expiration dates
- Service codes
PCI DSS also addresses the storage, processing, and transmission of sensitive authentication data, including magnetic stripe data, CVC numbers and equivalent data, and personal identification numbers (PINs). Organizations storing and processing this data must ensure that the relevant infrastructure and systems are compliant.
Is AWS PCI-Compliant?
AWS is a PCI DSS Level 1 compliant service provider. Level 1 is the most stringent of the four levels of PCI compliance, and it implies that AWS has been certified compliant following an audit by a Qualified Security Assessor (QSA).
Which AWS Services Are PCI Compliant?
The majority of Amazon’s cloud services are PCI-compliant. Compliant services include Amazon Simple Storage Service (S3), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Store (EBS), and around 150 other cloud services and programs. You can see a complete list of PCI compliant AWS services at AWS Services in Scope by Compliance Program.
AWS PCI Compliance and the Shared Responsibility Model
AWS operates a shared responsibility security model meaning responsibility for securing cardholder data is shared between the platform and the user. AWS implements secure and compliant systems which reduce the users’ operational burden. But it doesn’t absolve them of the responsibility to use AWS services in a secure and compliant manner.
Amazon is always responsible for securing the underlying hardware, but the user may be responsible for the service’s configuration and any software they run on it. The division of responsibility depends on the cloud service. On EC2, the user is responsible for securing the operating system and services they run on virtual servers. On S3, they are responsible for the aspects of the service that are user configurable.
To consider one common AWS security failing, Amazon S3 is a secure and PCI-compliant object storage service. If S3 is correctly configured and used as part of a compliant system, an AWS user could store cardholder data on S3 and maintain PCI compliance.
However, S3 can be configured insecurely. This could occur by setting a permission policy that allows public access to the data stored in a bucket. In that case, the service is PCI compliant, but the user’s implementation is not, and nor is any system that uses that implementation.
As Amazon’s compliance guidelines make clear, “AWS Services listed as PCI DSS compliant means that they can be configured by customers to meet their PCI DSS requirements. It does not mean that any use of that service is automatically compliant.” Additionally, the PCI DSS’s scope goes beyond infrastructure to processes and people—compliant infrastructure can’t make a system compliant unless all other appropriate controls are also implemented.
Ultimately, PCI DSS compliance is always the responsibility of the user. Amazon makes compliance easier, but if cardholder data is exposed or misused, it is the user who faces penalties and perhaps the revocation of their ability to process credit card payments.
How to Achieve PCI Compliance on AWS
Achieving PCI compliance on AWS is a complex topic: it depends on the size and scope of a business’s cardholder data environment; the cloud infrastructure, services, and software in use; and the processes the company supports with AWS services.
To implement a PCI-compliant cardholder data environment, AWS users must ensure that all infrastructure connected to the data environment complies with the relevant PCI DSS requirements. We cannot cover all applicable requirements here, so let’s look at three examples of how AWS helps businesses comply.
PCI DSS Firewall Controls
PCI DSS Requirement 1.1.4 requires businesses to implement a firewall at each internet connection and between any demilitarized zone and the internal network zone. Amazon provides two main PCI compliant firewall options: Security Groups and Network Access Control Lists (NACL).
Firewalls are a clear example of how the division of responsibility between AWS and the user works. AWS provides firewall services that help users comply with PCI DSS requirements, but the user must configure and manage the firewalls in a compliant manner. AWS also provides the AWS Firewall Manager to centralize and simplify firewall management for AWS environments.
Strong Encryption of Data at Rest and in Motion
PCI DSS Requirements 3 and 4 address cardholder data protection, including encryption at rest and in transit. Relevant requirements include:
- Render PAN unreadable anywhere is stored.
- Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open networks.
Businesses must encrypt cardholder data in transit and at rest with strong, modern cryptographic technology. AWS makes this relatively straightforward. Most storage services offer encryption at rest, including databases, storage services, and caching services.
Data is automatically encrypted as it is moved within a secure AWS network. Still, users must ensure that they implement suitable cryptographic protection when data is transmitted to third-party clients and services.
Secure Key Management
PCI DSS Requirement 3.5 and Requirement 3.6 include several key management sub-requirements such as:
- Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
- Restrict access to cryptographic keys to the fewest custodians necessary.
- Generate strong cryptographic keys and implement processes to store and distribute them securely.
To help businesses comply with these requirements, AWS provides the AWS Key Management Service (AWS KMS). AWS KMS is a key management service that can generate and control secure keys. It integrates with many other AWS services that encrypt data, making it easier to comply with PCI DSS encryption and key management requirements.
Verifying AWS PCI Compliance with A PCI DSS Audit
As we’ve seen, AWS is a PCI-compliant cloud platform. AWS services help businesses build PCI compliant systems to store and process credit card data. Achieving PCI compliance is much less complex on AWS than on self-managed colocated servers.
However, less complex isn’t the same as simple. Businesses often face challenges configuring, managing, and integrating AWS cloud services in a way that maintains compliance. Non-compliant organizations risk fines and penalties, termination of the ability to accept cards as payment, loss of business, and legal costs.
As a licensed CPA and QSA firm, KirkpatrickPrice’s PCI audits will help your business demonstrate PCI compliance and reduce the risk of non-compliance. In addition to PCI audits, we also offer cloud security audits, penetration testing, risk assessments, and other services that help businesses to achieve PCI compliance on AWS.
Contact KirkpatrickPrice today to learn more about how a PCI audit could benefit your business.