Payment Card Industry (PCI) compliance is an imperative aspect of business security, and it is essential to understand if Amazon Web Services (AWS) is PCI compliant if you are operating your organization in the cloud. If your business accepts payment through credit cards or retains credit card information, no matter the size or frequency of transactions, it is imperative that your business ensures cardholder data is secure and protected.

What is Payment Card Industry (PCI) Compliance?

The PCI Security Standards Council was established in 2006 by the five major credit card companies: American Express, Visa Inc., JCB International, MasterCard Worldwide, and Discover Financial Services. The goal of PCI was to regulate the credit card industry by standardizing practices to improve credit card security. The council developed a series of standards called the Payment Card Industry Data Security Standards (PCI DSS) to make sure customer data is secured systematically across the industry. The primary goal of the PCI DSS is to reduce data breaches that affect consumers and banks.

There are six requirements for PCI DSS compliance. The most important is that a secure network is built and maintained, meaning a firewall is utilized to protect data. About 75% of companies investigated following a data breach had not installed or maintained firewall configuration. Secondly, cardholder data must be protected through encryption on public networks. Next, a vulnerability management system must be managed through the installation of antivirus programs that defend against malware.

Additionally, access control measures must be implemented by requiring identity authentication and restricted access to secure cardholder data. Networks also need to be monitored and tested frequently and thoroughly. Finally, an information security policy that documents procedures to be followed by personnel must always be maintained to ensure all data is handled securely.

The PCI Security Standards Council mandates that any company that processes, transmits, or stores credit card information need to be PCI DSS compliant. If a data breach was to occur and a company was not PCI compliant, the company could be fined by the PCI Security Standards Council up to $100,000 in monthly fees. Also, banks have the right to terminate their relationship with you or raise transaction fees if you are not in PCI DSS compliance. It is estimated that about 80% of business are not yet PCI compliant.

Noncompliance causes your business and secure information to be more vulnerable to data breaches and attacks. Ensuring that your business is PCI compliant, ultimately lessens your liability in the case of a data breach. Technically, there is no such thing as PCI certification. It falls under the responsibility of companies to prove that they meet PCI compliance.

Is Amazon Web Services (AWS) PCI compliant?

So, you might be wondering: Is Amazon Web Services PCI compliant? The short answer is yes - but through a shared responsibility model.

The AWS cloud service states that cloud security is of the utmost importance. AWS has many safeguards in place to keep private information secure for users. AWS is certified as a PCI DSS Level 1 Service Provider, which is the highest level of appraisal. The assessment was carried out by Coalfire Systems Inc., an independent Qualified Security Assessor. A reputable assessor can also view AWS’ Attestation of Compliance and Responsibility Matrix for more information on PCI compliance. Customers utilizing AWS products and services can rely on AWS’ technology infrastructure while managing their PCI DSS certification of compliance.

The aforementioned means that companies can trust that AWS is doing their share to meet PCI DSS compliance; however, AWS users must partake in this responsibility by making sure they are also PCI compliant. While customers do not need to assess AWS infrastructure for compliance, it is imperative they assess their in-house infrastructure for compliance.

AWS offers several compliance enablers such as Amazon Guard Duty, AWS Artifact, and Amazon Inspector. Amazon Guard Duty is a threat detection service that detects, monitors, and reports unauthorized activity or possible threats. AWS Artifact is an audit and compliance portal that provides users with access to PCI reports, non-disclosure agreements, and other certifications. Lastly, Amazon Inspector is a service that detects if applications run on AWS are susceptible to security breaches and produces a prioritized list of security findings. AWS compliance enablers such as these can help AWS users ensure their PCI compliance.

AWS provides an architecture that is dedicated, segmented, and connected, which all support PCI compliance capability. A compliant cloud lays the foundation for PCI compliance. Companies need multi-tiered systems of defense and thus cannot solely rely on AWS for security. While AWS is PCI compliant, organizations need to work diligently to protect their data and meet PCI DSS compliance.

If you are looking to ensure that your Amazon EC2 instance has the proper data protection and is fully PCI DSS 3.2 compliant, Vandis managed service and compliance offerings can ensure a compliant service in the cloud, and introduces tools such as advanced security controls. Reach out to Vandis for more information on moving forward.