The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that defines requirements protecting credit and debit card information and related personal data. It was created and maintained by the PCI Security Standards Council (PCI SSC).
PCI compliance applies to all entities storing, processing, or transmitting sensitive authentication data (SAD) or cardholder data (CHD), such as merchants, acquirers, processors, service providers, and issuers. It is enforced by card companies and administered by the PCI SSC.
AWS is PCI DSS compliant. Organizations that use AWS services and products to transmit, store, or process cardholder data can depend on AWS’s technology infrastructure to acquire and manage their PCI certification. That being said, organizations must ensure their data and configuration is also compliant with PCI DSS requirements.
Here is the official list of AWS services compliant with PCI DSS.
In this article:
The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information.
The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.
You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.
This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.
There are several issues to consider to remain PCI compliant when using cloud services. If you store data on a third-party server, as in a cloud environment, you rely on the vendor to manage the infrastructure and security. You have less control over the environment than in on-premise data storage.
Cloud service providers (CSPs) are responsible for securing the infrastructure, but you should still make sure you choose a reliable CSP. For example, you should keep the vendor’s Attestation of Compliance (AoC) on file to demonstrate compliance with the PCI DSS. Businesses must verify their CSPs are PCI compliant every year and provide annual statements acknowledging the third-party vendor’s responsibility for compliance.
However, the main risk associated with cloud infrastructure is sharing it with other businesses. Strong encryption is necessary to prevent other users from breaking into your environment and accessing your data. If you ensure PCI compliance, you already protect payment card data like stored card numbers with strong encryption, but cloud environments require even more protection.
Ultimately, you rely on a third party to restrict access to sensitive credit card data, so the CSP must clearly outline its roles and responsibilities. You must know exactly how the CSP handles your data and what your organization’s responsibilities are (this is a PCI Section 12 requirement).
Maintaining PCI DSS compliance in the cloud is not very different from keeping your on-site servers PCI compliant. It requires the same controls but involves a third party.
AWS offers several tools to help maintain PCI compliance:
While Amazon infrastructure is PCI DSS compliant, your organization, as an AWS customer, needs to activate the relevant security measures required by the PCI standard. Here are a few ways you can achieve PCI DSS compliance for your AWS cloud environment.
Requirement 1.1.4 of the PCI DSS requires organizations to implement firewalls at every Internet connection and between the internal network and demilitarized zones. Amazon offers two PCI-compliant firewalls: Network Access Control Lists (NACLs) and security groups.
Firewalls demonstrate the division of the security responsibility between AWS and its users. AWS provides the firewall services to help you comply with the PCI requirements, but it is your responsibility to configure and manage these firewalls in compliant ways. The AWS Firewall Manager helps users simplify and centralize firewall management for multiple AWS cloud environments.
Requirements 3 and 4 of the PCI DSS protect cardholder data, including encrypting data in transit and at rest. Important requirements include using strong encryption and security protocols to protect sensitive data while traversing open networks and rendering payment card data unreadable wherever it is stored.
The regulation requires businesses to use up-to-date cryptographic technology to implement cardholder data encryption at rest and in transit. AWS makes encryption straightforward, with most storage services offering at-rest data encryption, including databases and caching services.
AWS automatically encrypts data when it moves within secure AWS networks. You still must ensure the implementation of appropriate cryptographic protection when transmitting data to a third-party service or client.
Requirements 3.5 and 3.6 of the PCI DSS stipulate several sub-requirements for managing cryptographic keys. You must implement and document key protection procedures to secure payment card data storage and prevent misuse or exposure. Businesses must restrict access to keys based on a least-privilege approach. The cryptography must be strong, and you must securely distribute and store the keys.
AWS offers a key management service (KMS) to help you comply with these PCI requirements. You can use AWS KMS to generate and manage keys, integrating it with other AWS data encryption services.
In AWS environments, databases and servers run within virtual private cloud (VPC) containers. By default, VPCs are standalone, isolated network environments. Other systems and VPCs cannot communicate with components inside VPC, helping to reduce the PCI scope.
However, AWS supports VPC peering, allowing you to enable configurations that bridge two or more VPCs together. Peered VPCs can connect by default. VPC peering is possible between VPCs within an AWS account or in separate accounts, so checking the cloud environment’s peering connections is essential to prevent unwanted links.
AWS allows you to combine multiple accounts into a single master account for easy management. While this simplifies organizational management, it also presents challenges for PCI compliance. If an account is part of an organization in AWS, the master account can determine user access for that account, even if it doesn’t allow connections between different accounts. It is therefore important to know if the PCI account is part of your AWS organization.
Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, NIST, CCPA, and any custom frameworks. Calico Cloud provides AWS users with the following features to address compliance requirements:
Next steps: