The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, established to reduce credit card fraud.
AWS is a PCI-compliant Level 1 service provider. Because AWS is a PCI-compliant service provider, it is not necessary for organizations hosting at AWS to assess the AWS infrastructure as part of the organization’s PCI compliance.
However, AWS operates on a shared responsibility model, where AWS customers are responsible for all aspects of PCI compliance related to their environment within AWS. This includes AWS service configurations, guest operating systems, and requisite security controls (IDS, anti-virus, etc.).
Shared Responsibility Model
Security of the cloud: AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run Amazon Web Services.
Security on the cloud: the customer (you!) is responsible for security measures related to the platform of customer content and applications that make use of AWS services (e.g. operating system/AWS service/web application config, etc).
The biggest challenge while doing PCI compliance for cloud infrastructure is that the infrastructure has multiple Security Groups (Firewalls) as against one or two firewall normally found in physical network.
To achieve PCI compliance, we follow all the guidelines published by PCI and give our best to achieve 12 data security standard requirements that are organized under six functional areas. CloudOps in-depth understanding of these requirements helps client to achieve the compliance in minimal time.
PCI-DSS Compliance on AWS
Amazon Web Services (AWS) provides a secure, elastic and compliant hosting environment with the requisite tools to ensure PCI-DSS compliance. The architectural blueprint for hosting applications and data in AWS includes:
- – Basic AWS identity and Access management configuration with custom IAM policies with associated groups, roles and instance policies.
- – Amazon Virtual Private Cloud multi A-Z architecture with separate subnets for different application tiers and private subnets for application and database.
- – Amazon simple storage service (Amazon S3) buckets for encrypted web content, logging and backup data.
- – Standard Amazon Virtual Private Cloud security groups for Amazon Elastic compute cloud instances and load balances used in the sample application stack.
- – 3-tier Linux web application using Auto Scaling and Elastic Load balancing, which can be modified and /or boot strapped with customer applications.
- – A secured bastion login host to facilitate command line secure shell access to Amazon EC2 instances for troubleshooting and systems administration activities.
- – Encrypted, Multi – AZ Amazon Relational Database service (Amazon RDS) MySQL database.
- – Logging, monitoring and alerts using AWS Cloud Trail, Amazon Cloud watch and AWS configuration rules.
Our team has experienced of many available open source tools and commercial tools for Host-based intrusion detection system (HIDS). Team has also built the competency to handle entire documentation and evidences that are needed to get the compliance from PCI auditors.
CloudOps leverages its extensive cloud expertise to design the Securely configured, PCI compliance ready, high performance secure cloud infrastructure. We handle the complexity of PCI DSS effectively for designing audited and certified cloud infrastructure.