PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS



Similar documents
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Payment Card Industry Data Security Standard

Understanding the SAQs for PCI DSS version 3

Credit Card Processing, Point of Sale, ecommerce

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Amazon Web Services: Risk and Compliance July 2015

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI Compliance. Top 10 Questions & Answers

Achieving PCI Compliance for Your Site in Acquia Cloud

PCI DSS. Payment Card Industry Data Security Standard.

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS Compliance Information Pack for Merchants

PCI Compliance Top 10 Questions and Answers

PCI DSS v3.0 SAQ Eligibility

Merchant guide to PCI DSS

PCI Compliance Overview

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Adyen PCI DSS 3.0 Compliance Guide

Razvoj Java aplikacija u Amazon AWS Cloud: Praktična demonstracija

PCI Compliance: How to ensure customer cardholder data is handled with care

How To Protect Your Business From A Hacker Attack

AISA Sydney 15 th April 2009

PCI Compliance 3.1. About Us

An article on PCI Compliance for the Not-For-Profit Sector

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI DSS. CollectorSolutions, Incorporated

PCI DSS Gap Analysis Briefing

PCI Security Compliance

PCI Data Security Standards

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

North Carolina Office of the State Controller Technology Meeting

Payment Card Industry Standard - Symantec Services

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Service Organization Controls 3 Report

How To Ensure Account Information Security

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI Compliance for Healthcare

10 Step PCI Certification Process for Merchants and Service Providers

Why Is Compliance with PCI DSS Important?

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

What a Processor Needs from a University to Validate Compliance

Payment Card Industry (PCI) Data Security Standard

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

How To Protect Your Credit Card Information From Being Stolen

Scaling in the Cloud with AWS. By: Eli White (CTO & mojolive) eliw.com - mojolive.com

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Risks and Compliance Considerations

Payment Card Industry (PCI) Data Security Standard

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard

Service Organization Controls 3 Report

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

So you want to take Credit Cards!

AWS Cloud for HPC and Big Data

Important Info for Youth Sports Associations

Your Compliance Classification Level and What it Means

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples

Third-Party Access and Management Policy

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Online Compliance Program for PCI

Internal Audit Activity Update

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

A PCI Journey with Wichita State University

Making Sense of the PCI Puzzle

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Registration and PCI DSS compliance validation

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals

Self Assessment Questionnaire A Short course for online merchants

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2

PCI DSS Certification. Fast and easy security compliance

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry Compliance Overview

Payment Card Industry (PCI) Data Security Standard

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Transcription:

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that manages the standards created by the Payment Card Brands (VISA, MasterCard, American Express, JCB International, and Discover). Entity environments applicable to the PCI requirements are any environments that store, process, or transmit Card Holder Data (CHD). The current PCI requirements are the PCI Data Security Standards (DSS) version 3.1. This document provides general PCI related information as well as how it relates to AWS IaaS partner ecosystems. What You Need To Know for PCI Accreditations Question - Who do PCI accreditations apply to? Answer PCI is applicable to all merchants that store, process, or transmit CHD. PCI merchant levels are classified to determine risk and ascertain respective security levels for cardholder protection. Merchants security responsibility is a shared responsibility in the context of leveraging IaaS AWS (GovCloud and US East/West), the Cardholder Data Environment (CDE) the Cloud Service Provider s (CSP) processing credit card data resides in, and end customer responsibility. Question How do you move forward as a PCI approved CSP? Answer Understand your baseline requirements, you must first understand your merchant level. The TIER you are applicable to depends on the amount of transactions and the Payment Brand you are affiliated with. First step is to contact your acquiring bank and validate the following high-level steps; Determine merchant level transaction volume from the defined year period. Confirm necessary PCI requirements (Onsite or Self-assessments, Self-assessment Questionnaire, External Vulnerability Scan, Penetration Test) Obtain AWS inheritance matrix Prepare for PCI audit Undergo PCI audit Once merchant has been verified as compliant, submit requirements to acquiring bank, which in will be reported through respective Payment Card Brands 1

You must then map your business requirements to the applicable Merchant TIER s, as denoted below; Merchant Level 1: o Any merchant processing more than 6,000,000 transactions annually o Any merchant that has had a data breach that resulted in an account compromise o Any merchant card association as Level 1 o Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor signed by officer of the company o Quarterly network scan by Approved Scanning Vendor (ASV) o Attestation of Compliance (AOC) Form Merchant Level 2: o Any merchant processing between 1,000,000-6,000,000 transactions per year o Annual Self-Assessment Questionnaire (SAQ) o Quarterly network scan by ASV o AOC Form Merchant Level 3: o Any merchant processing between 20,000 to 1,000,000 transactions annually o Annual SAQ o Quarterly network scan by ASV o AOC Form Merchant Level 4: o Any merchant processing less than 20,000 (Visa/MasterCard) e-commerce transactions annually, and all other merchants processing up to 1,000,000 VISA or MasterCard transactions annually o Annual SAQ o Quarterly network scan by ASV o AOC Form (ultimately set by acquirer) *Please note, requirements can vary by brand, always recommended to confirm latest guidance with the PCI Security Standards Council 2

Question - What AWS environments have been PCI accredited? Answer - The scope of the AWS PCI compliance for the services defined above applies to AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo). Question - What AWS Services have been PCI accredited? Answer The following services have been PCI accredited; Auto Scaling AWS CloudFormation Amazon CloudFront AWS CloudHSM AWS CloudTrail AWS Direct Connect Amazon DynamoDB AWS Elastic Beanstalk Amazon Elastic Block Store (EBS) Amazon Elastic Compute Cloud (EC2) Elastic Load Balancing (ELB) Amazon Elastic MapReduce (EMR) Amazon Glacier AWS Key Management Service (KMS) AWS Identity and Access Management (IAM) Amazon Redshift Amazon Relational Database Service (RDS) Amazon Route 53 Amazon SimpleDB Amazon Simple Storage Service (S3) Amazon Simple Queue Service (Amazon SQS) Amazon Simple Workflow Service (Amazon SWF) Amazon Virtual Private Cloud (VPC) Question - AWS already has a PCI DSS level 1 accreditation for all regions, does the AWS partner/csp inherit that PCI accreditation? Answer - You will only inherit the management of the supporting infrastructure for your PCI requirements. That is requirement 9 of the PCI DSS version 3.1 requirements. Regulatory inheritance is a shared responsibility, you can get the PCI inheritance control matrix under NDA w/ AWS to further detail these controls. 3

Question - As an AWS customer, who would we speak with at AWS for PCI inheritance? Answer - Some inheritance will be leveraged from AWS, shared between AWS and CSP and also the end customer. The CSP should understand what controls are inherited, shared and what the system specific controls they will be responsible for securing when leveraging the AWS ecosystem. The CSP should then speak to their assigned AWS account representative about the PCI control inheritance available to them under NDA. Question - If leveraging AWS, why do I need to undergo a PCI assessment, since all the data is sent to AWS? Answer - The PCI DSS requirements cover a wide range of topics including but not limited to organization training, policies and procedures, incident response, and configuration management. Even though the CHD is processed within the services sitting within the AWS environment, the security of the CHD is the shared responsibility between AWS, CSP and the end customer. Question - How many requirements must I evaluate if I am completing a ROC? Answer - All 12 requirements which equates to 400+ controls required for evaluation. It is also important to note that the organization must pass ALL controls to be considered PCI compliant. Question - What is a SAQ and how does it apply to PCI? Answer - The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS standards currently at version 3.1. 4

Question - How many requirements must be evaluated if completing a SAQ? Answer - Please take a look at the table below. It is also important to note that the organization must pass ALL controls to be considered PCI compliant. SAQ Description Req. A A-EP B Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Merchants using only: -out terminals with no electronic cardholder data storage. B-IP Merchants using only standalone, PTS-approved payment terminals 10 with an IP connection to the payment processor, with no electronic cardholder data storage. C-VT Merchants who manually enter a single transaction at a time via a 9 keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. C Merchants with payment application systems connected to the Internet, 12 no electronic cardholder data storage. P2PE-HW Merchants using only hardware payment terminals that are included in 4 and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. D To be used in the event the previous SAQs are not applicable. 12 Question How long do most PCI audits take? Answer Most PCI assessments undergo a 4-6 month assessment review period. During the 4-6 months the organization undergoes planning for the assessment, testing and artifact collection, and report creation/validation. The report will either be a combination of a ROC and AOC, or a combination of a SAQ and associated AOC. Please note that organizations with multiple non-compliance requirements often exceed the 6 month time frame due to required remediation efforts. 2 12 5 5

Navigating the complexities of cloud ecosystems can be a daunting task. Understanding the boundaries around what regulatory bodies are applicable, how and where PCI (CDE) applies, and what preparation is needed to be successful are key elements of a successful PCI implementation. If you have any questions and wish to speak further, feel free to send an inquiry and we can assist on how PCI and the AWS ecosystem come together. David Clevenger Director, Strategic Accounts E-mail: dclevenger@verisgroup.com Veris Group, LLC www.verisgroup.com 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information