Implementing PCI DSS on AWS

According to Innovative Retail Technologies, 52% of surveyed retailers plan to actively move applications to the cloud this year. The initially tepid response to cloud is waning as retailers learn more about its strengths for availability and innovation. Yet, one question our AWS consultants frequently field from retailers is about achieving AWS PCI Compliance in the cloud. As most readers of this blog know, the Payment Card Industry Data Security Standard, otherwise known as PCI DSS, is an information security standard requiring organizations to incorporate controls around customer data to prevent credit card fraud. There are several ways that AWS helps its retail clients build a foundation for PCI compliance and they’ve recently announced one more in the form of a Quick Start.

Defined by a structure of 12 requirements (best practices and security controls) to keep credit card data safe and secure during transit, processing, and storage, PCI DSS requires organizations to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong security measures, test and monitor networks on a regular basis, and maintain an information security policy. AWS helps achieve this goal by providing an environment which is compliant to the standard. Certification, it should be noted, is the responsibility of the company. As we all know, compliance does not automatically translate to certification.

At Flux7 our AWS experts have been implementing PCI compliant AWS solutions since 2014–well before AWS formalized its first PCI program. Since our first PCI deployment for a company called GoBold, we have been implementing AWS best practices for a host of companies looking to maximize the benefits of cloud computing with world-class security and regulatory compliance. Let’s first discuss the AWS PCI updates and then we’ll share how we apply them to Fortune 1000 enterprises like Rent-A-Center.

Most AWS services  have been validated by an independent Qualified Security Assessor (QSA) to be compliant to the PCI Level 1 standard (the highest of the 4 PCI levels). AWS provides a PCI Compliance Package to merchant customers, which contains the appropriate compliance documentation to use in seeking certification. The package clarifies the responsibilities of AWS and the merchant and further demonstrates its compliance by meeting all applicable requirements.

In the next step to help customers adopt their platform for PCI, AWS has released its PCI DSS Quick Start program. The Quick Start program was developed by AWS field teams to help provide guidance on reference architectures, configuration and tools to rapidly deploy the guidance.  

The PCI DSS Quick Start program includes critical elements that any organization would require when beginning to deploy an AWS environment to align with PCI DSS requirements. This includes initial prerequisite platform configurations that allow deployment scripts to complete without error. The program also provides pre-defined scripts that can be deployed in whole–or in part–by organizations to leverage only elements of the accelerator that the organization feels are necessary.  

The deployment scripts are also customizable, allowing organizations to utilize the rapid deployment capabilities and take into account existing configuration(s) and other needs of the organization. Finally, the scripts can be run from an organizationally-managed S3 bucket and saved for scripting and use with CloudFormation for ongoing deployment, management, and scalability of the environment.

PCI DSS version 3.1 was used as the Quick Start baseline. The included CloudFormation templates employ the concept of nesting to build independent stacks for the global, network, access, and application portions of the architecture. Automating instance and network configuration significantly reduces the opportunity for engineers to make security mistakes; engineers do not have to manually configure AWS security groups, networks, user access, firewalls, encrypted volumes, DNS names, log shipping, etc. They do not have to “remember” best practices every time they spin up a new instance, which is arguably the most vulnerable time in an instance’s life.

The Quick Start also includes a Security Controls Reference. This document maps the security controls called out by PCI DSS to the relevant architecture decisions, features, and configurations. The latest scope of services and regions for the AWS PCI DSS Level 1 certification can be found at:  https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

Fortune 1000 Retail

Our DevOps consulting team recently had the opportunity to help Rent-A-Center (RAC) build a new e-commerce portal based on AWS Security by Design principles. The goal of the project was to simultaneously increase agility, meet peaks in customer demand, ensure system security and achieve PCI Level 1 compliance. Good security is at the heart of regulatory compliance so by building a secure foundation with InfoSec cloud best practices, RAC was able to achieve PCI compliance in the cloud with five 9’s availability. Moreover, giving the development team the ability to design and build at the speed of the market means that RAC IT is now not just a business enabler, but a provider of direct business value, giving the organization a means to build solutions that outpace customer expectations. For additional details on RAC, Security by Design and its implications for successful PCI compliance, please watch as RAC presents at the AWS Summit in Chicago.

Flux7 PCI Best Practices

We recently had the opportunity to apply our PCI best practices for a global broadband services and technology company whose managed Wi-Fi hotspots are part of a sophisticated communications network.The payment processing environment for its Wi-Fi services was built in conjunction with Flux7 consultants to ensure a fast and robust environment that assured immediate service to users at any time–all while maintaining Level 1 PCI compliance. With Flux7’s finely tuned AWS compliance best practices, as applied through the principles of Security by Design, this organization was able to achieve best-in-industry security and PCI compliance. In addition, by using the key tenets of DevOps as foundational building blocks, this communications provider found important operational benefits like elasticity of service, high availability, and scalability that keeps customers in the purchase process.

We’ll leave you with the example of a Fortune 1000 financial services organization who is also a Level 1 merchant due to the volume of credit card data under its management. While this enterprise was already very focused on security and compliance, Flux7 consultants were able to provide another layer of expertise when it came to compliance in the cloud and the surrounding ecosystem of tools. Flux7 created for this enterprise a cloud computing architecture that met strict security and regulatory requirements and that allowed admin and machine access to the environment without compromising security. Specifically, our AWS consultants created an elegant, purpose-built solution that achieves critical separation of roles between development and IT, while maintaining high levels of AWS DevOps driven productivity.

Click here to read Rent-A-Center SAP Hybris Solution Enabled by Amazon ECS Service Auto Scaling

If you are beholden to PCI requirements and are interested in pursuing a cloud strategy for enhanced availability, reliability and competitive advantage, please reach out today. We will gladly walk you through our best practice-based experience helping PCI Level 1 merchants achieve cloud-based PCI compliance.

Did you find this useful?  

Interested in getting tips, best practices and commentary delivered regularly? Click the button below to sign up for our blog and set your topic and frequency preferences.