PCI DSS 4.0. Compliance on AWS

Learn how businesses can handle data storage and processing on AWS while upholding PCI compliance standards The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security requirements that merchants and service providers must follow when storing, processing, or transmitting cardholder data. The last PCI DSS 4.0. update introduces 300+ security controls grouped into 12 requirements sections that encompass various security aspects, including those applicable to cloud infrastructure such as Amazon Web Services (AWS). For organizations utilizing AWS to manage credit card data, ensuring PCI DSS compliance in their cloud infrastructure is imperative. However, achieving and maintaining PCI compliance on AWS is more than simply entrusting sensitive data to a PCI-compliant AWS service. Amazon emphasizes, “It is the customer’s responsibility to maintain their PCI DSS cardholder data environment (CDE) and scope, and be able to demonstrate compliance of all controls." Thus, there is much to be done by customers to achieve PCI DSS compliance on AWS. This article delves into the implications of AWS PCI compliance, exploring how businesses can handle data storage and processing on AWS while upholding PCI DSS compliance standards.

PCI DSS Compliance Status of AWS Services

AWS holds PCI Service Provider Level 1 compliance, the highest level among the four tiers of PCI compliance. This designation indicates that AWS has undergone a thorough audit conducted by a Qualified Security Assessor (QSA) and has been officially certified as compliant. The majority of Amazon’s cloud services are listed as PCI compliant AWS services including

• Amazon Simple Storage Service (S3),
• Amazon Elastic Compute Cloud (EC2),
• Amazon Elastic Block Store (EBS),
• Amazon Lambda.

A complete list of PCI compliant AWS services is available at AWS Services in Scope by Compliance Program. Yet, the list of AWS services in the scope of PCI DSS does not make them compliant out of the box. Amazon’s compliance guidelines make clear, “AWS Services listed as PCI DSS compliant means that they can be configured by customers to meet their PCI DSS requirements. It does not mean that any use of that service is automatically compliant.” Customers are responsible for properly configuring these services by implementing specific controls and tools applicable to ensure the security of cardholders’ data. For example, Amazon S3 is positioned as a secure and PCI-compliant object storage service. When S3 is properly configured, an AWS customer can store cardholder data on S3 while upholding PCI compliance. Nevertheless, S3 can be configured insecurely. This might happen, for example, if a permission policy allows public access to the data stored in a bucket. In this scenario, while the service itself remains PCI compliant, the user's implementation, as well as any system employing that implementation would not be considered PCI DSS compliant.

AWS Shared Responsibility Model and PCI Compliance

Security and compliance is a shared responsibility between AWS and the customer. According to AWS’s shared responsibility model, the cloud provider is responsible for the security and compliance of the Cloud. Customers, on the other hand, are responsible for their share of responsibility in the Cloud: the customer-configured systems and services launched on AWS. The extent of customer responsibility in terms of compliant configuration depends on the specific AWS Cloud services the customer chose. For example, on EC2, the customer is responsible for securing the operating system and services they run on virtual servers. On S3, they are responsible for the aspects of the service that are user-configurable. Therefore, PCI DSS compliance on AWS is always the customer’s responsibility. Amazon can make compliance easier by offering built-in security solutions and configurable options in services. However, if cardholder data is exposed or misused due to improper configuration of these services, it is the customer who faces penalties and the revocation of their ability to process credit card payments.

Customer PCI DSS scope

Before diving deeper into AWS security solutions for PCI DSS compliance, let’s see what is the customer’s PCI scope within the AWS . In the cloud, PCI DSS requirements apply to three sets of resources: System components that themselves store, process, or transmit account data. These are the core of the CDE including physical and virtual network devices that transmit cardholder’s data, computing resources involved in the processing of payments or account data, or storage systems and services that retain account data. System components that are connected to this previous set of resources. This could be servers or containers with unrestricted network connectivity to the system. This could also include tools such as monitoring systems. System components that could impact the security of the CDE. Those that in some way impact the security of the CDE. These include tools or services that directly or indirectly satisfy a PCI DSS requirement, such as encryption, code repositories, intrusion detection, audit logging, and authentication. It is important to note that the customer’s PCI DSS scope may extend beyond its AWS environment. Customers may have systems that are part of their PCI DSS environment that are not on AWS for which they retain the responsibility of meeting all applicable PCI DSS requirements. This can include systems and locations such as retail locations, mobile devices, administrative systems in offices, or on-premises systems.

How to Achieve PCI Compliance on AWS

The scope of a customer’s cardholder data environment along with the cloud infrastructure, services, software in use, and the processes the company supports with AWS services affect achieving PCI DSS compliance in the AWS cloud. To develop and maintain a PCI-compliant cardholder data environment, AWS customers must ensure that all infrastructure connected adheres to relevant PCI requirements. Covering all applicable PCI DSS requirements for the AWS cloud in one blog is hardly possible. So let’s take a look at common examples of how to create PCI-compliant infrastructure in AWS:

PCI DSS Firewall Controls

PCI DSS Requirement 1.1.4 requires businesses to implement a firewall at each internet connection and the internal network zone. Amazon provides two main PCI-compliant firewall options: Security Groups and Network Access Control Lists (NACL). The distribution of responsibilities between AWS and users is evident in the case of firewalls. While AWS provides firewall services to assist customers in meeting PCI DSS requirements. It is the user's responsibility to configure and oversee the firewalls compliantly. Additionally, AWS offers the AWS Firewall Manager, streamlining and centralized firewall management for environments within AWS.

PCI DSS System Components Security

PCI DSS Requirement 2.2. requires customers to change vendor-supplied defaults in any third-party software and code incorporated into their AWS environments. For example, AWS customers are responsible for configuring operating-system–level access to EC2 instances and their configurations. PCI DSS requirement 2.2.7 requires customers to use encrypted connections for non-console management. AWS resource management is considered non-console for this requirement and must use encrypted connections, such as SSH, HTTPS, or VPN. This includes using the AWS Management Console to manage resources. Customers bear the responsibility of safeguarding the security of these administrative connections for the resources deployed in AWS. For instance, if a customer deploys a third-party application to EC2, they must guarantee that unencrypted protocols, such as HTTP or FTP, are not utilized for administrative functions.

Strong Encryption of Data at Rest and in Motion

PCI DSS Requirements 3 and 4 address cardholder data protection, including data encryption at rest and in transit. For this, PCI requires rendering data unreadable anywhere it is stored and using strong cryptography to safeguard sensitive cardholder data during transmission over open networks. Businesses must encrypt cardholder data in transit and at rest with strong, modern cryptographic technology. AWS makes this relatively straightforward. Most storage services offer encryption at rest, including databases, storage services, and caching services. Users must ensure that they implement suitable cryptographic protection when data is transmitted between the CDE components or outside of the CDE.. PCI DSS Requirement 3.5 and Requirement 3.6 include several key management requirements including generating strong cryptographic keys and implementing processes to store and distribute them securely. To help businesses comply with these requirements, AWS provides the AWS Key Management Service(AWS KMS). AWS KMS is a key management service that can generate, store, and control encryption keys. It integrates with many other AWS services that encrypt data, making it easier to comply with PCI DSS encryption and key management requirements.

Anti-Malware Protection

AWS is responsible for anti-virus and anti-malware protection of the underlying resources for AWS-managed services such as Amazon RDS or Amazon ECS. Customers are responsible for configuring and running appropriate anti-malware software on any applicable EC2, container, or other computer instance for which they manage the underlying operating system.

Secure Software Development

PCI DSS Requirement 6.2 is related to secure software development. Under this requirement, AWS is responsible for the secure development of AWS services and features. Customers are responsible for their application development and personnel training. It is the customers’ responsibility to ensure that proper testing, validation, and approval occurs, whether manual or automated, at each stage of the software development lifecycle. PCI DSS Requirement 6.3.1. Requires customers to identify security vulnerabilities and assign a risk ranking to newly discovered security vulnerabilities.Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS and can assist you with your identification. Amazon Elastic Container Registry (ECR) offers image scanning to help identify software vulnerabilities in container images. AWS publishes security bulletins to notify customers of important security events. You can also find many turnkey solutions in the AWS Marketplace, from industry-recognized vendors such as Rapid7, Qualys, and Tenable. PCI DSS Requirement 6.3.3 requires customers to patch systems and applications they deploy on EC2 instances and containers. Offerings from the AWS Marketplace may also require patching. You can use Systems Manager Patch Manager to automate the maintenance and deployment of patches and updates to your EC2 instances.

PCI DSS Access Management

PCI DSS 4.0. password requirements are outlined in Requirements 7 and 8. Customers are responsible for access management policy within their AWS infrastructure. For this, AWS offers Identity and Access Management (IAM) to grant access to users and services within their AWS accounts. To comply with PCI DSS, customers must follow the principle of least privilege and enable multi-factor authentication (MFA) for AWS Management Console access. You can use service control policies to make sure the AWS accounts stay within your organization’s access control guidelines.

PCI DSS Physical Security

AWS manages the physical infrastructure for the hosted environments, and physical security requirements are inherited from the AWS global infrastructure. Customers are responsible for the physical security and data classification of media that is exported or transferred out of the AWS environment. However, the physical security of data stored within AWS is not the customer's responsibility. Under PCI DSS Requirement 9.5, customers are responsible for the physical security and management of physical payment devices used to connect to resources provisioned in the AWS Cloud. Customers are also responsible for the security of any physical locations in which they store, process, or transmit account data. These might include corporate offices, call centers, or retail locations.

Audit Logs

PCI DSS Requirement 10 requires implementing audit logs to ensure data integrity. Customers can use AWS CloudTrail which provides an event history of AWS account API activity, including actions taken through the AWS Management Console, AWS SDKs, and command line tools. Customers can also install the CloudWatch agent on EC2 instances to collect additional system-level metrics. It can be used to send logs from an operating system to the CloudWatch Logs service for retention. Customers should restrict CloudTrail access using fine-grained IAM policies and allow only specific information security personnel access to audit trails. Both services also support the use of versioning, lifecycle policies, and deny-delete capabilities to protect log data.

Become PCI DSS Compliant with Planet 9

Thus, achieving PCI compliant infrastructure on AWS is much less complex than on self-managed servers. This is partially due to built-in AWS offerings that help achieve and maintain compliance. However, being less complex doesn’t mean easy. Businesses often face challenges configuring, managing, and integrating AWS cloud services in a way that maintains compliance. Planet 9 professionals can help you become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things:

• evaluate the ‘security maturity’ of your organization to establish a baseline;
• based on the security maturity and validation requirements, prepare a plan to raise the organizational maturity;
• develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client on executing the roadmap;
• prepare and share the requirements and steps required to complete the required compliance activities

Book a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals. We’ll be happy to assist!