Some of our potential clients think that simply putting their applications and/or data on a cloud service like Amazon Web Services (AWS) is enough to become PCI compliant, but it’s actually more involved.
While AWS has done what it can to make its offering follow PCI regulations, hosting on the AWS cloud is just the first step to fulfilling the PCI DSS (Payment Card Industry Data Security Standard).
Having compliant hosting is a part of the complete process of securing your application and data. There are parts of this process that you’ll have to do yourself no matter which provider you’ll choose.
Furthermore, there are certain AWS services you’ll want to use to make sure that your setup is PCI compliant.
The good news is that after helping many clients with getting set up on AWS (and other clouds), we’ve learned how to help our clients secure an application.
We know how using AWS fits in the overall picture of becoming secure and following PCI rules. In this article, we’re going to share our experiences so you pick the best options to achieve AWS PCI compliance.
Note: Our product, Armor Anywhere, can help secure any type of public or private server. That means you can have PCI compliant hosting with less work. If you want to find out how much Armor costs, click here. Or if you want to learn more about our compliance solutions, click here.
PCI Compliance Is More Than Just Using AWS
In order to be PCI compliant, your application and overall business needs to fulfill several criteria. Here are the twelve general PCI DSS requirements:
- Have a firewall in place
- Do not use vendor-supplied defaults for system passwords
- Protect any and all cardholder data
- Encrypt transmission of cardholder data across open networks
- Regularly update anti-virus software
- Develop and maintain secure systems
- Restrict access to cardholder data so only relevant employees have access
- Create a unique ID for each person with access
- Restrict physical access to servers with data
- Track and monitor all access to cardholder data
- Regularly test security systems and processes
- Maintain a security policy for all employees
You can see that only some of these criteria are solved by hosting with AWS. For example, restricting physical access to servers is immediately solved by AWS (as Amazon already restricts which employees can physically access servers).
But, some of these requirements have little to do with hosting. For example, having a security policy and testing your security processes have more to do with how your business is run than with the hosting provider you use.
Other requirements (like access monitoring) can be solved using AWS, but it requires you to use the proper tools and settings.
Specific Measures on Using AWS to Help Achieve PCI Compliance
Here are just some of the AWS security controls you need to take in order to make sure your cloud environment is PCI compliant:
- Encrypt all databases, usually with Amazon Relational Database Service (Amazon RDS)
- Setup malware protection
- Create a log collection and management system
- Use AWS Identity and Access Management (IAM) to configure employee access
- Setup Amazon VPC security groups to configure access controls to Amazon EC2 instances
- Use AWS CloudTrail to log and monitor relevant events on your setup.
- Use Amazon GuardDuty for continuous threat detection and monitoring.
This is a nontrivial amount of work, but it is all doable. It’s important to remember that PCI requires specific activities to be performed on specific timelines and your setup must undergo testing to make sure it’s compliant.
At Armor, we’ve recognized that this is a problem, so we choose to make our compliance experts available to our customers.
Levels of PCI DSS Compliance
Once you properly set up your AWS deployment, you need to take steps to actively remain PCI compliant.
In the PCI DSS, there are steps that companies must take in order to prove that they are continuously compliant. Your merchant level determines the activities you must undertake in order to remain compliant.
PCI has four levels to classify merchants. Here’s a high-level overview of what the levels are and the requirements each has to meet:
Level 1 Merchants
Level 1 merchants process over 6 million card transactions annually.
They must do the following:
- Complete an annual Report on Compliance (ROC) in conjunction with a Qualified Security Assessor (QSA)
- Have an Approved Scanning Vendor (ASV) conduct quarterly scans
- Complete an Attestation of Compliance Form
Level 2 Merchants
Level 2 merchants process 1 to 6 million card transactions annually.
They must do the following:
- Complete an Annual SAQ
- Have an ASV conduct quarterly scans
- Complete an Attestation of Compliance Form
Level 3 Merchants
Level 3 merchants process 20,000 to 1 million card transactions annually.
They must do the following:
- Complete an Annual Self-Assessment Questionnaire (SAQ)
- Have an ASV conduct quarterly scans
- Complete an Attestation of Compliance Form
Level 4 Merchants
Level 4 merchants process up to 20,000 card transactions annually.
They must do the following:
- Complete an Annual Self-Assessment Questionnaire (SAQ)
- Have an ASV conduct quarterly scans
- Complete an Attestation of Compliance Form
PCI Compliance Might Not Be Enough
Taking a step back, we want to emphasize why PCI was created in the first place. It’s a framework for how to secure businesses that process credit card data.
While they are definitely a good set of standards to adhere to, they’re not enough.
Consider the fact that PCI auditors generally test a sampling of servers to check for PCI compliance.
It’s possible for companies to only polish the sampled servers so that those look good, rather than applying the requirements consistently across the full environment.
The famous Target breach of 2013 crystallized how PCI compliance does not necessarily mean security. Target CEO Gregg Steinhafel said it himself: “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach”.
Why Armor is the Best Choice to Secure Your Infrastructure
Our product, Armor Anywhere, helps businesses secure their cloud infrastructure, no matter where it is (on-premise or public cloud). We also have our own private cloud offering, Armor Complete, if you want to use a cloud with more security done by default.
Armor Anywhere takes minutes to get up and running. Once you use Armor Anywhere, you’ll have achieved several steps to making your setup PCI compliant.
Becoming compliant is not a simple transition, that’s why we’re more than just a software solution.
Our advisors have real-world experience helping businesses like yours become compliant and secure.
By choosing Armor, you’re not only getting software that will automatically do a lot of the work for you, but you’re also getting a partner with years of experience securing servers holding credit card data.
Armor Anywhere allows you to use a public host like AWS and become PCI compliant with less effort. While we can’t do everything for you, we can share some of the work.
Just to show you how complicated this can get, here is a diagram (from AWS itself) of how to create a PCI compliant setup:
That’s a lot to keep track of. Furthermore, is that really the best use of your time? Why not get help to reduce the workload while also getting access to advisors who have done this many times before?
You could hire some sort of service provider to do this work for you, but that’s expensive. Plus, you’ll need to continuously pay that provider in order to ensure that you remain compliant.
That’s why we think using Armor Anywhere is a no-brainer for achieving PCI compliance on AWS. We do some of the work for you while advising you on the parts that you might need help with (at a fraction of the cost of hiring a consultant).
Here are just some of the ways that Armor Anywhere can save you time and effort in order to become PCI compliant and secure:
| Custom AWS Installation | Armor Anywhere | |
| Restrict physical access to servers | X | X |
| Secure servers verified by a QSA | X | X |
| Vulnerability Scans | X | |
| Intrusion Detection | X | |
| File Integrity Monitoring | X | |
| Log Collection and Management | X | |
| Malware Protection | X | |
| Patch Monitoring | X | |
| ID and Access Management | ||
| Application Security | ||
| Data Encryption and Protection |
Next Steps
Achieving and maintaining AWS PCI compliance is not a simple task, but we can help make it easier.
You’ll have to make sure your business has the right policies and procedures in place — while using AWS properly. There are dozens of services in the AWS toolkit, and you have to set them up to be PCI compliant.
Once you achieve PCI compliance, you’ll have to regularly undergo assessments and scans to ensure that you stay compliant.
And, on top of that, you have to remember that being PCI compliant is not enough to be fully secure.
If you want a solution and partner that can make this process of becoming and staying PCI DSS compliant easier, then contact us for a free assessment. We’re ready to help.
Note: Our product, Armor Anywhere, can help secure any type of public or private server. That means you can have PCI compliant hosting with less work. If you want to find out how much Armor will cost to help you be compliant, click here. Or if you want to learn more about our compliance solutions, click here