PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that manages the standards created by the Payment Card Brands (VISA, MasterCard, American Express, JCB International, and Discover). Entity environments applicable to the PCI requirements are any environments that store, process, or transmit Card Holder Data (CHD). The current PCI requirements are the PCI Data Security Standards (DSS) version 3.1. This document provides general PCI related information as well as how it relates to AWS IaaS partner ecosystems. What You Need To Know for PCI Accreditations Question - Who do PCI accreditations apply to? Answer PCI is applicable to all merchants that store, process, or transmit CHD. PCI merchant levels are classified to determine risk and ascertain respective security levels for cardholder protection. Merchants security responsibility is a shared responsibility in the context of leveraging IaaS AWS (GovCloud and US East/West), the Cardholder Data Environment (CDE) the Cloud Service Provider s (CSP) processing credit card data resides in, and end customer responsibility. Question How do you move forward as a PCI approved CSP? Answer Understand your baseline requirements, you must first understand your merchant level. The TIER you are applicable to depends on the amount of transactions and the Payment Brand you are affiliated with. First step is to contact your acquiring bank and validate the following high-level steps; Determine merchant level transaction volume from the defined year period. Confirm necessary PCI requirements (Onsite or Self-assessments, Self-assessment Questionnaire, External Vulnerability Scan, Penetration Test) Obtain AWS inheritance matrix Prepare for PCI audit Undergo PCI audit Once merchant has been verified as compliant, submit requirements to acquiring bank, which in will be reported through respective Payment Card Brands 1
You must then map your business requirements to the applicable Merchant TIER s, as denoted below; Merchant Level 1: o Any merchant processing more than 6,000,000 transactions annually o Any merchant that has had a data breach that resulted in an account compromise o Any merchant card association as Level 1 o Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor signed by officer of the company o Quarterly network scan by Approved Scanning Vendor (ASV) o Attestation of Compliance (AOC) Form Merchant Level 2: o Any merchant processing between 1,000,000-6,000,000 transactions per year o Annual Self-Assessment Questionnaire (SAQ) o Quarterly network scan by ASV o AOC Form Merchant Level 3: o Any merchant processing between 20,000 to 1,000,000 transactions annually o Annual SAQ o Quarterly network scan by ASV o AOC Form Merchant Level 4: o Any merchant processing less than 20,000 (Visa/MasterCard) e-commerce transactions annually, and all other merchants processing up to 1,000,000 VISA or MasterCard transactions annually o Annual SAQ o Quarterly network scan by ASV o AOC Form (ultimately set by acquirer) *Please note, requirements can vary by brand, always recommended to confirm latest guidance with the PCI Security Standards Council 2
Question - What AWS environments have been PCI accredited? Answer - The scope of the AWS PCI compliance for the services defined above applies to AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo). Question - What AWS Services have been PCI accredited? Answer The following services have been PCI accredited; Auto Scaling AWS CloudFormation Amazon CloudFront AWS CloudHSM AWS CloudTrail AWS Direct Connect Amazon DynamoDB AWS Elastic Beanstalk Amazon Elastic Block Store (EBS) Amazon Elastic Compute Cloud (EC2) Elastic Load Balancing (ELB) Amazon Elastic MapReduce (EMR) Amazon Glacier AWS Key Management Service (KMS) AWS Identity and Access Management (IAM) Amazon Redshift Amazon Relational Database Service (RDS) Amazon Route 53 Amazon SimpleDB Amazon Simple Storage Service (S3) Amazon Simple Queue Service (Amazon SQS) Amazon Simple Workflow Service (Amazon SWF) Amazon Virtual Private Cloud (VPC) Question - AWS already has a PCI DSS level 1 accreditation for all regions, does the AWS partner/csp inherit that PCI accreditation? Answer - You will only inherit the management of the supporting infrastructure for your PCI requirements. That is requirement 9 of the PCI DSS version 3.1 requirements. Regulatory inheritance is a shared responsibility, you can get the PCI inheritance control matrix under NDA w/ AWS to further detail these controls. 3
Question - As an AWS customer, who would we speak with at AWS for PCI inheritance? Answer - Some inheritance will be leveraged from AWS, shared between AWS and CSP and also the end customer. The CSP should understand what controls are inherited, shared and what the system specific controls they will be responsible for securing when leveraging the AWS ecosystem. The CSP should then speak to their assigned AWS account representative about the PCI control inheritance available to them under NDA. Question - If leveraging AWS, why do I need to undergo a PCI assessment, since all the data is sent to AWS? Answer - The PCI DSS requirements cover a wide range of topics including but not limited to organization training, policies and procedures, incident response, and configuration management. Even though the CHD is processed within the services sitting within the AWS environment, the security of the CHD is the shared responsibility between AWS, CSP and the end customer. Question - How many requirements must I evaluate if I am completing a ROC? Answer - All 12 requirements which equates to 400+ controls required for evaluation. It is also important to note that the organization must pass ALL controls to be considered PCI compliant. Question - What is a SAQ and how does it apply to PCI? Answer - The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS standards currently at version 3.1. 4
Question - How many requirements must be evaluated if completing a SAQ? Answer - Please take a look at the table below. It is also important to note that the organization must pass ALL controls to be considered PCI compliant. SAQ Description Req. A A-EP B Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Merchants using only: -out terminals with no electronic cardholder data storage. B-IP Merchants using only standalone, PTS-approved payment terminals 10 with an IP connection to the payment processor, with no electronic cardholder data storage. C-VT Merchants who manually enter a single transaction at a time via a 9 keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. C Merchants with payment application systems connected to the Internet, 12 no electronic cardholder data storage. P2PE-HW Merchants using only hardware payment terminals that are included in 4 and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. D To be used in the event the previous SAQs are not applicable. 12 Question How long do most PCI audits take? Answer Most PCI assessments undergo a 4-6 month assessment review period. During the 4-6 months the organization undergoes planning for the assessment, testing and artifact collection, and report creation/validation. The report will either be a combination of a ROC and AOC, or a combination of a SAQ and associated AOC. Please note that organizations with multiple non-compliance requirements often exceed the 6 month time frame due to required remediation efforts. 2 12 5 5
Navigating the complexities of cloud ecosystems can be a daunting task. Understanding the boundaries around what regulatory bodies are applicable, how and where PCI (CDE) applies, and what preparation is needed to be successful are key elements of a successful PCI implementation. If you have any questions and wish to speak further, feel free to send an inquiry and we can assist on how PCI and the AWS ecosystem come together. David Clevenger Director, Strategic Accounts E-mail: dclevenger@verisgroup.com Veris Group, LLC www.verisgroup.com 6