The Payment Card Industry Data Security Standard (also known as PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
Yes, AWS has been PCI DSS Certified since 2010. As of July 11, 2016, an external Qualified Security Assessor Company (QSAC), Coalfire Systems Inc. has validated that Amazon Web Services (AWS) successfully completed PCI Data Security Standards 3.2 Level 1 Service Provider assessment and were found to be compliant for all the services outlined below.
Service provider levels are defined as:
Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually
Amazon Web Services (AWS) is a Cloud Service Provider (CSP) that does not directly store, transmit or process any customer cardholder data (CHD). However, AWS customers may create their own card data environment (CDE) that can store, transmit or process cardholder data using AWS products.
- Auto Scaling
- AWS CloudFormation
- Amazon CloudFront
- AWS CloudHSM
- AWS CloudTrail
- AWS Config
- AWS Direct Connect
- Amazon DynamoDB
- AWS Elastic Beanstalk
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Compute Cloud (EC2)
- Amazon EC2 Container Service (ECS)
- Elastic Load Balancing (ELB)
- Amazon Elastic MapReduce (EMR)
- Amazon Glacier
- AWS Key Management Service (KMS)
- AWS Identity and Access Management (IAM)
- Amazon Redshift
- Amazon Relational Database Service (RDS)
- Amazon Route 53
- Amazon SimpleDB
- Amazon Simple Storage Service (S3)
- Amazon Simple Queue Service (SQS)
- Amazon Simple Workflow Service (SWF)
- Amazon Virtual Private Cloud (VPC)
- AWS WAF - Web Application Firewall
- The underlying physical infrastructure (including GovCloud) and the AWS Management Environment
AWS being a PCI DSS “Compliant” Service Provider means that customers who use AWS products and services to store, process or transmit cardholder data can rely on our technology infrastructure as they manage their own PCI DSS compliance certification.
AWS' PCI DSS compliance further demonstrates the commitment to information security at every level. As the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices. This validation provides our customers assurance with regards to our security practices.
As an AWS customer, can I rely on the AWS Attestation of Compliance (AOC) or will additional testing be required for to be fully compliant?
All entities must manage their own PCI DSS compliance certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on AWS Attestation of Compliance (AOC), but you will still be required to satisfy all other PCI DSS requirements
For detailed information please refer to the "AWS 2016 PCI DSS 3.2 Responsibility Summary" from the AWS PCI DSS Compliance Package, available upon request.
The AWS PCI DSS Compliance Package includes:
• AWS PCI DSS 3.2 Attestation of Compliance (AOC)
• AWS 2016 PCI DSS 3.2 Responsibility Summary
Is AWS listed on the Visa Global Registry of Service Providers and the MasterCard Compliant Service Provider List?
No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI DSS requirements and other compensating controls that effectively and securely segregate each customer into its own protected environment. This secure architecture has been validated by an independent QSA and was found to be in compliance with all requirements of PCI DSS version 3.2 published in April 2016.
PCI Security Standards Council has published PCI DSS Cloud Computing Guidelines 2.0 as a guidance for customers, service providers, and assessors of cloud computing services. It also describes service models and how compliance roles and responsibilities are shared between providers and customers.
Additionally Third-Party Security Assurance 2016 provides supplemental information organizations in selecting, using, and managing third-party service providers with whom cardholder data is shared.
A merchant’s QSA can always rely on AWS Attestation of Compliance (AOC) to demonstrate an extensive assessment of physical security controls of AWS data centers.
Yes. AWS manages forensic investigations in alignment with DSS requirement A 1.4. Customers or their designated Qualified Incident Response Assessors (QIRA) can contact AWS as required to perform forensic investigations.
Is there a special PCI DSS compliant environment I need to specify when bringing up servers or uploading objects to store?
No. The entire infrastructure that supports in-scope services is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI DSS compliant environment, globally.
Yes. There are ten international regions compliant with the PCI DSS standard: US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (São Paulo). These regions are included in the independent QSA validation scope. PCI is a global standard and does not change based on geography.
Yes, numerous AWS customers have successfully deployed and certified part or all of their cardholder environments on AWS. AWS does not disclose the customers who have achieved PCI DSS certification, but does regularly work with customers and their PCI DSS assessors in planning for, deploying, certifying, and performing quarterly scanning of a cardholder environment on AWS.
There are two primary approaches that companies take to validate their PCI DSS compliance on an annual basis. The first approach is to have an external Qualified Security Assessor (QSA) assess your applicable environment and then create a Report on Compliance (ROC) and Attestation of Compliance (AOC); this approach is most common for entities that handle large volumes of transactions. The second approach is to perform a Self-Assessment Questionnaire (SAQ); this approach is most common for entities that handle smaller volumes of transaction.
It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
Below is a high-level overview of the 12 PCI DSS requirements.
|Build and Maintain a Secure Network and Systems||
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||
12. Maintain a policy that addresses information security for all personnel