Achieving PCI Compliance in AWS

What Is PCI Compliance in AWS?

Credit card companies and government agencies require organizations that handle payment card data to comply with the payment card industry (PCI) standards. These standards, maintained by the PCI SSC, help secure transactions and cardholder data. The Federal Trade Commission oversees credit card processing to protect consumers. Although there is no law mandating PCI compliance, court precedent has required companies to adhere to the standards.

Amazon Web Services (AWS) is a cloud platform offering IaaS, PaaS, and SaaS services. It provides tools to store data, manage cloud computing environments, and deliver content. PCI compliance must be part of an organization’s cloud security strategy. The PCI standards require organizations to protect encrypted online transactions and store payment card data using secure practices.

The Cost Associated with Non-Compliance

PCI DSS is not a regulation, so companies who violate it do not face legal exposure or regulatory fines. However, according to most experts, the PCI council might fine businesses found to be in violation of PCI between $5,000 to $100,000 per month. Even more significant, failure to comply with PCI can result in a business being prohibited from conducting credit card transactions, which can be a death blow to commercial operations.

Even beyond the formal penalties of the standard, cloud breaches are expensive. An average data breach costs millions of dollars and requires significant time and effort to recover. It is estimated that over a third of small and mid-sized businesses fail to recover after a cloud disaster and shut down operations.

If an auditing body finds you to be non-compliant, it usually recommends fixes and additional controls to help you achieve compliance. In some cases, you may need to invest in new security software. In other cases, you’ll have to add physical security layers to your office or data center. Implementing these measures can be expensive and it is often a race against the clock to complete the process by a certain deadline.

In light of these risks, a key part of cost optimization in the Amazon cloud is to consider your compliance obligations and ensure that your cloud infrastructure complies with PCI and any other relevant standards and regulations.

The Challenge of Meeting the PCI DSS Requirements in the Cloud

The Payment Card Industry Data Security Standard is a long-established requirement for many organizations. However, implementing the PCI DSS is more challenging in cloud environments because cloud native processes are fast and often reliant on the Internet.

A cloud native environment has elastic, network-based infrastructure. Cloud workloads are typically transient and dynamic and run across distributed environments—there is no permanent location or segmentation as in a traditional network. The distributed nature of a cloud architecture adds complexity, requiring a new approach to governing, managing, and auditing access privileges and network controls.

Understanding the PCI requirements and ensuring compliance in a cloud native ecosystem is a serious challenge. Conventional security solutions cannot monitor changes or provide sufficient visibility and contextual information in a cloud environment. The tools that work in a traditional environment won’t guarantee compliance in the cloud.

Some important areas impacting PCI compliance in the cloud include data protection, vulnerability management, network security, access control, duty segregation, threat hunting and analysis, monitoring, and audit trails.

How to Achieve PCI Compliance on AWS

Here are some considerations to help ensure PCI compliance for AWS environments.

Firewalls and Controls
The PCI DSS requires organizations to place firewalls at every Internet connection and wherever a demilitarized zone connects with an internal network zone (Requirement 1.1.4). AWS offers two firewall options that support PCI compliance, Network Access Control Lists (NACLs) and Security Groups.

Firewalls demonstrate the shared responsibility model between the customer and AWS. Amazon is responsible for providing the firewall services to help the customer comply with the PCI DSS. However, the customer is responsible for configuring and managing these firewalls to ensure compliance. Another AWS offering is the Firewall Manager, which helps simplify and centralize firewall management across AWS environments.

Data Encryption at Rest and in Transit
The PCI DSS requires organizations to protect all cardholder data using strong at-rest and in-transit encryption (Requirements 3 and 4). Businesses must ensure that primary account number (PAN) data is unreadable when stored. They must use robust security and cryptographic protocols to protect sensitive data while it traverses networks like the Internet.

Businesses must use modern technology to encrypt cardholder data at rest and in transit. AWS helps customers implement the PCI encryption requirements. Most AWS storage services—including storage, caching, and databases—allow for at-rest encryption. AWS automatically encrypts data when it moves within secure networks.

However, the customer is responsible for implementing the appropriate cryptographic defenses when transmitting data to a third party.

Cryptographic Key Protection
The PCI DSS requires businesses to protect cryptographic keys and implement secure key management practices (Requirements 3.5 and 3.6). Organizations must implement and document their key protection procedures to prevent the exposure or misuse of cardholder data. They must limit access to all keys, avoiding unnecessary access. Finally, they must use robust keys and distribute and store them using secure practices.

AWS helps businesses comply with the PCI key protection requirements by offering the Key Management Service (KMS). AWS KMS can generate secure keys and control their access, integrating with other Amazon services to encrypt data and facilitate compliance with the PCI DSS requirements.

VPCs
AWS allows customers to put their databases and virtual servers in virtual private clouds (VPCs). A VPC is a network container providing an isolated, standalone environment—there is no inbound communication from outside the VPC.

This architecture helps protect the resources within a VPC, but communication between VPCs is sometimes necessary. AWS offers a configuration called VPC peering, which bridges two VPCs, providing a default connection. Peering allows customers to connect their VPCs to other internal and external VPCs. However, it is important to check the configurations and ensure that there are no unwanted peering connections, especially to VPCs in other
AWS accounts.

AWS Master Account
A master account is an AWS mechanism allowing organizations to group and manage several accounts from a single control point. While this approach makes it easier to manage an organization’s overall AWS environment, it presents some challenges for PCI compliance.

Within an AWS organization, separate accounts cannot access or connect to each other’s data and computers. However, a master account can control user access across all associated accounts. The PCI AWS account should therefore be separate from the rest of the organization.

PCI Compliance Tools
AWS offers several tools to help ensure PCI compliance. For example, Amazon GuardDuty can continuously monitor AWS accounts for indications of malicious behavior or breaches. GuardDuty helps organizations protect their cloud networks and any payment card and cardholder data, a key requirement of the PCI DSS.

Another tool is Amazon Inspector, which AWS designed specifically to facilitate compliance. An automated cloud PCI program scans an organization’s security configurations for gaps. It verifies that the company is maintaining compliance and identifies potential compliance failures. This approach ensures that changes to the network configuration are in line with data security and PCI requirements.

In addition to the paid GuardDuty and Inspector services, AWS offers the free Artifact service to help manage PCI tools and reports. AWS Artifact provides a portal tracking PCI and SOC reports covering access controls, compliance, and potential security gaps. It helps make other AWS PCI tools more manageable and keeps reporting unified.