If your organization processes credit or debit card payments, PCI compliance is essential. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Standards. In this post, I’m going to walk you through what you need to know about AWS PCI compliance to ensure compliance in the cloud. AWS PCI Compliance is an Amazon Web Service (AWS) that is Payment Card Industry (PCI) compliant. PCI applies to all companies that process, transmit, or store cardholder (or sensitive) data of service providers, merchants, processors, or issuers. Since AWS is PCI DSS compliant, it means that any organization that uses
AWS products and services to process, transmit, or store cardholder data may depend on the technology infrastructure of AWS to acquire and manage their PCI certification. What are the PCI DSS Requirements?The primary twelve requirements for PCI DSS can be broadly classified under these six areas:
How Do Companies Comply With PCI DSS?Different companies may take different approaches to obtain and renew their PCI DSS compliance annually. The Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data, and is best suited for small merchants and service providers. Companies with a larger transaction volume might appoint an external Qualified Security Assessor (QSA) to access their systems and subsequently create a Report on Compliance (ROC) and Attestation of Compliance (AOC). Which AWS Services are PCI DSS Compliant?AWS offers PCI DSS compliant services, which gives organizations more service options, functionality, and flexibility to store and process sensitive cardholder data. These services are audited by Coalfire, providing companies with securely monitored and up-to-date testing. A complete list of the AWS PCI DSS compliant services is available here. How Does AWS Work?AWS is a PCI-compliant Level 1 Service Provider. Thus, companies can use AWS, but in the context of a shared responsibility model. This means that AWS customers share the responsibility for PCI compliance. Since AWS is a PCI-compliant service provider, organizations using AWS do not need to assess AWS infrastructure. An assessor can validate the compliance of the AWS infrastructure simply by reviewing AWS’s Attestation of Compliance (AOC) and Responsibility Matrix documents. AWS offers various compliance aids, including the following: Compliance Enablers
Compliance WorkbookThe Compliance Workbook details the AWS service techniques and methodologies for effectively deploying PCI compliance capabilities. It basically provides three sample reference architectures that detail the most commonly used PCI-compliant environments:
Compliance ProgramsFeatured compliance services offered by AWS include a series of Quick Starts. The PCI Standardized Architecture on the AWS Cloud is one such Quick Start and second in a set of AWS Compliance offerings. This Quick Start outlines how to deploy an environment that helps companies come on board with PCI DSS compliance with ease. It includes AWS Cloud Formation templates that configure the environment, automate the deployment, and provide security controls and step-by-step instruction guides. Final Words . . .Organizations need layered defenses — they cannot rely solely on AWS for security. While AWS is PCI-compliant, that doesn’t negate the need for companies to take their own security measures to protect sensitive data. However, a PCI-compliant cloud is an essential foundation for ensuring compliance. If you’re interested in learning how the Threat Stack Cloud Security Platform® can strengthen your organization’s security posture and help you meet PCI requirements as well as those of other regulatory frameworks, contact us for a demo.
Which AWS service can be used to help generate the documentation required by various compliance standards?Get on-demand access to more than 2,500 security controls by using AWS Artifact, our automated compliance reporting tool available in the AWS Management Console.
What is PCI compliant AWS?AWS PCI Compliance is an Amazon Web Service (AWS) that is Payment Card Industry (PCI) compliant. PCI applies to all companies that process, transmit, or store cardholder (or sensitive) data of service providers, merchants, processors, or issuers.
Which AWS service provides you service organization control SOC and payment card industry PCI reports?Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
Which AWS service can be used to meet the compliance requirements?AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
|