The problem of regulatory PCI compliance in public cloud such as AWS applies more to small and medium size companies than enterprises. For example, if you are a Bank or financial institution then you can spend sizable sum on assessing yourself for PCI compliance and work with leading auditing firm to achieve the same. However it becomes challenging for small companies running payment applications or infrastructure on foundation services such as EC2 (Elastic Cloud Compute) and S3 (Simple Storage Service). AWS clearly states that you can get a completely PCI compliant infrastructure on EC2 and there are number of customers using AWS infrastructure services who are PCI/PA compliant. Security and compliance is a shared responsibility between AWS and service provider/customers.
For customers pursuing PCI certification, upon request, AWS provides a PCI Compliance Package (basis request under NDA with client), the package includes authoritative compliance documentation from the AWS QSA. This includes the QSA’s Attestation of Compliance document and AWS PCI DSS Controls Responsibility Summary, also published by the QSA. There are number of customers who have successfully achieved PCI certification for their payment application and infrastructure environments on AWS cloud. AWS does not disclose the customers who have achieved PCI certification, but does regularly work with customers and their PCI assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.
Requirements of PCI DSS:
- Build and maintain a secure network
- Secure cardholder data (transit and storage)
- Maintain a vulnerability management program
- Implement access control measures
- Monitoring and testing
- Maintain information security policy
Security and compliance is a shared responsibility between AWS and application service provider. What you control is operating system, application, security groups, anti-virus, account management and storage encryption and through these controls you need ensure strong network access controls, hardening of operating system and application stack, authentication and access management, vulnerability, patch and anti-virus management, monitoring, change management, logging and testing.
AWS provides foundation services compute, storage, database and networking for your application. In the PCI part they address the part of physical and virtualized infrastructure, secure facilities, physical environment needed to run secured and compliant applications.
You can visit AWS Security and Compliance center which provides valuable information on various security and compliances https://aws.amazon.com/security/.
