AWS PCI Compliance

AWS PCI Compliance: 5 Ways to Make Your Cloud Compliant

What Is AWS PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that defines requirements protecting credit and debit card information and related personal data. It was created and maintained by the PCI Security Standards Council (PCI SSC).

PCI compliance applies to all entities storing, processing, or transmitting sensitive authentication data (SAD) or cardholder data (CHD), such as merchants, acquirers, processors, service providers, and issuers. It is enforced by card companies and administered by the PCI SSC.

AWS is PCI DSS compliant. Organizations that use AWS services and products to transmit, store, or process cardholder data can depend on AWS’s technology infrastructure to acquire and manage their PCI certification. That being said, organizations must ensure their data and configuration is also compliant with PCI DSS requirements.

Here is the official list of AWS services compliant with PCI DSS.

In this article:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information.

The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.

You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.

This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.

How Does PCI Compliance Affect Cloud Computing Environments?

There are several issues to consider to remain PCI compliant when using cloud services. If you store data on a third-party server, as in a cloud environment, you rely on the vendor to manage the infrastructure and security. You have less control over the environment than in on-premise data storage.

Cloud service providers (CSPs) are responsible for securing the infrastructure, but you should still make sure you choose a reliable CSP. For example, you should keep the vendor’s Attestation of Compliance (AoC) on file to demonstrate compliance with the PCI DSS. Businesses must verify their CSPs are PCI compliant every year and provide annual statements acknowledging the third-party vendor’s responsibility for compliance.

However, the main risk associated with cloud infrastructure is sharing it with other businesses. Strong encryption is necessary to prevent other users from breaking into your environment and accessing your data. If you ensure PCI compliance, you already protect payment card data like stored card numbers with strong encryption, but cloud environments require even more protection.

Ultimately, you rely on a third party to restrict access to sensitive credit card data, so the CSP must clearly outline its roles and responsibilities. You must know exactly how the CSP handles your data and what your organization’s responsibilities are (this is a PCI Section 12 requirement).

Maintaining PCI DSS compliance in the cloud is not very different from keeping your on-site servers PCI compliant. It requires the same controls but involves a third party.

AWS PCI Compliance Tools

AWS offers several tools to help maintain PCI compliance:

  • Amazon GuardDuty – Continuously monitors AWS accounts to identify indicators of a potential breach or malicious activity. GuardDuty helps you protect cloud networks and secure customer payment card data and other sensitive information related to PCI security.
  • Amazon Inspector – A cloud PCI tool that directly helps ensure compliance. It automatically scans security configurations to verify continued compliance and identify gaps in your compliance policy or implementation. It helps ensure that changes to the cloud network don’t impact your PCI DSS compliance or data security.
  • AWS Artifact – A free service to help manage Amazon Inspector and GuardDuty. It provides a portal to track AWS PCI and SOC reports, including PCI compliance, access control, and security vulnerability reports. AWS Artifact makes other AWS PCI services more manageable, with all critical reports available in the same place.

5 Customer Responsibilities for Achieving PCI Compliance on AWS

While Amazon infrastructure is PCI DSS compliant, your organization, as an AWS customer, needs to activate the relevant security measures required by the PCI standard. Here are a few ways you can achieve PCI DSS compliance for your AWS cloud environment.

1. Firewalls

Requirement 1.1.4 of the PCI DSS requires organizations to implement firewalls at every Internet connection and between the internal network and demilitarized zones. Amazon offers two PCI-compliant firewalls: Network Access Control Lists (NACLs) and security groups.

Firewalls demonstrate the division of the security responsibility between AWS and its users. AWS provides the firewall services to help you comply with the PCI requirements, but it is your responsibility to configure and manage these firewalls in compliant ways. The AWS Firewall Manager helps users simplify and centralize firewall management for multiple AWS cloud environments.

2. Strong Data Encryption

Requirements 3 and 4 of the PCI DSS protect cardholder data, including encrypting data in transit and at rest. Important requirements include using strong encryption and security protocols to protect sensitive data while traversing open networks and rendering payment card data unreadable wherever it is stored.

The regulation requires businesses to use up-to-date cryptographic technology to implement cardholder data encryption at rest and in transit. AWS makes encryption straightforward, with most storage services offering at-rest data encryption, including databases and caching services.

AWS automatically encrypts data when it moves within secure AWS networks. You still must ensure the implementation of appropriate cryptographic protection when transmitting data to a third-party service or client.

3. Secure Cryptographic Key Storage

Requirements 3.5 and 3.6 of the PCI DSS stipulate several sub-requirements for managing cryptographic keys. You must implement and document key protection procedures to secure payment card data storage and prevent misuse or exposure. Businesses must restrict access to keys based on a least-privilege approach. The cryptography must be strong, and you must securely distribute and store the keys.

AWS offers a key management service (KMS) to help you comply with these PCI requirements. You can use AWS KMS to generate and manage keys, integrating it with other AWS data encryption services.

4. Virtual Private Cloud Peering

In AWS environments, databases and servers run within virtual private cloud (VPC) containers. By default, VPCs are standalone, isolated network environments. Other systems and VPCs cannot communicate with components inside VPC, helping to reduce the PCI scope.

However, AWS supports VPC peering, allowing you to enable configurations that bridge two or more VPCs together. Peered VPCs can connect by default. VPC peering is possible between VPCs within an AWS account or in separate accounts, so checking the cloud environment’s peering connections is essential to prevent unwanted links.

5. AWS Master Accounts

AWS allows you to combine multiple accounts into a single master account for easy management. While this simplifies organizational management, it also presents challenges for PCI compliance. If an account is part of an organization in AWS, the master account can determine user access for that account, even if it doesn’t allow connections between different accounts. It is therefore important to know if the PCI account is part of your AWS organization.

AWS PCI Compliance with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, NIST, CCPA, and any custom frameworks. Calico Cloud provides AWS users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet PCI compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!