AWS Security Blog

Updated whitepaper: Architecting for PCI DSS Segmentation and Scoping on AWS

Our mission at AWS Security Assurance Services is to assist with Payment Card Industry Data Security Standard (PCI DSS) compliance for Amazon Web Services (AWS) customers. We work closely with AWS customers to answer their questions about compliance on the AWS Cloud, finding and implementing solutions, and optimizing their controls and assessments. We’ve compiled the most frequent and foundational questions in the updated Architecting for PCI DSS Scoping and Segmentation on AWS whitepaper, which aligns with the PCI Council’s Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation.

This whitepaper provides guidance on how you can properly define the scope of your PCI DSS 4.0 workloads that are running in the AWS Cloud. The whitepaper describes how to define segmentation boundaries between your in-scope and out-of-scope resources by using AWS Cloud–based services, provides recommendations for segmentation best practices for various workloads, and offers insights into network traffic flows for segmentation at both east-west (internal) and north-south (external) network communication paths.

This update brings significant enhancements by offering practical and actionable design patterns at the network layer, tailored to support PCI DSS. For readers who have consulted the previous version of the whitepaper, this update brings the following important enhancements:

  • Reference architectures for account structure: AWS Organizations organizational units (OUs) and AWS account structure form the foundation of network layer design and segmentation. We provide recommendations for these structures that are designed to help you with PCI DSS compliance.
  • Actionable network design patterns: Network layer architectural patterns help customers to structure their workload traffic flows.
  • Firewall rule examples: Rule configurations in this update make it easier to enforce traffic controls that are aligned with PCI DSS requirements.
  • Enhanced segmentation guidance: Moving beyond high-level segmentation advice, this version provides hands-on implementation information that applies to practical application scenarios.

The whitepaper is not only intended for engineers and solution builders, but also serves as a guide for Qualified Security Assessors (QSAs) and internal security assessors (ISAs) to better understand the various segmentation controls that are available within AWS products and services, along with associated scoping considerations.

Compared to on-premises environments, software-defined networking on AWS transforms the scoping process for applications by providing additional segmentation controls beyond network segmentation. Thoughtful design of your applications and selection of security-impacting services for implementing your required controls can reduce the number of systems and services in your cardholder data environment (CDE).

Compliance at cloud scale

New security and governance tools available from AWS and the AWS Partner Network (APN) enable you to build business-as-usual compliance and automated security tasks so you can shift your focus to scaling and innovating your business.

If you have questions or want to learn more, contact your account executive, or leave a comment below.

Abdul Javid

Abdul Javid

Abdul is a Senior Security Assurance Consultant and PCI DSS Qualified Security Assessor with AWS Security Assurance Services, and has more than 25 years of IT governance, operations, security, risk, and compliance experience. He uses his experience and knowledge to advise AWS customers on their compliance journey. Abdul holds various industry-recognized certifications in security, program, and risk management.

Padmakar Bhosale

Padmakar Bhosale

Padmakar is a Senior Technical Account Manager with over 25 years of experience in the financial, banking, and cloud services sectors. He provides AWS customers with guidance and advice on payment services, core banking ecosystem, credit union banking technologies, resiliency on the AWS Cloud, AWS accounts and network levels PCI segmentations, and optimization of the customer’s cloud journey experience on AWS Cloud.

Ted Tanner

Ted Tanner

Ted is a Principal Assurance Consultant and PCI DSS QSA with AWS Security Assurance Services. He has more than 25 years of IT, security, and compliance experience, which he uses to advise customers on building and optimizing their cloud compliance programs. He is co-author of several PCI DSS–related publications at AWS.