Any company or service provider that processes debit or credit card payments has a strict requirement. Specifically, these companies are required to be compliant with the Payment Card Industry data security standards (PCI DSS). These requirements help to ensure customers and merchant account providers alike, that cardholder information is protected from data breach, fraud and other criminal behaviors. One of the easiest ways to prove PCI cloud compliance in your e-commerce environments is to entrust your cardholder data to AWS PCI Compliance. All of this Amazon Web Service (AWS) company’s products and services are in compliance with PCI standards. Therefore, you can entrust the customer cardholder data you store or transmit to this company with the peace of mind that comes from knowing that adherence to PCI requirements is built into the platform.
The Payment Card Industry Data Security Standard (PCI DSS), a public document that you can easily reference and view should you have a question, was developed by the PCI Security Standards Council. That body is made up of American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The standards they developed apply to all parties that process, store or transmit cardholder data (CHD) or sensitive authentication data (SAD). This includes merchants, processors, issuers, service providers and acquirers. PCI DSS compliance concerns itself with the following requirements:
- Your network infrastructure must be constructed and maintained in a secure way, including using a firewall without using vendor-supplied security strategies.
- All cardholder data is secure and encrypted, particularly in public networks.
- Your network’s vulnerability to cyberattack is minimized via antivirus software and other malware protections.
- Access to system components is controlled by restricting who can gain entry to sensitive data and by instituting strong identity authentication procedures.
- All networks must be regularly monitored and tested, including conducting checks of security and controls.
- You must put into place and maintain an information security program and policy that thoroughly describes all procedures to be used in handling cardholder data.
AWS PCI Compliance Details
AWS is a certified PCI DSS 3.2 Level 1 service provider, the highest assessment level available. A Qualified Security Assessor (QSA), performed the AWS audit and regularly does testing for Amazon’s PCI compliance. As a company that deals with cardholder data, you can be assured that the entire AWS technology infrastructure is AWS PCIi compliant. An assessor wishing to verify PCI compliance can obtain and review AWS’s Attestation of Compliance (AOC) and Responsibility Matrix documentation.
In addition, there are several resources available to you if you have questions when assessing AWS’s adherence to industry standards and protocols. These include the following:
- Amazon Guard Duty (a service that monitors, detects and reports suspected unauthorized or malicious activity that could compromise your account.)
- AWS Artifact (a compliance portal containing system organization controls (SOC) reports, PCI reports and other documentation from accredited evaluating bodies.)
- Amazon Inspector (an automated service that is deployed to scan for security breaches and report them in order of priority).
- Compliance workbook (a set of standards, protocols and techniques outlining pci compliant cloud status. Specifically, this involves providing you with sample architectures for the most common PCI compliant environments. Systems can be dedicated or stand-alone, segmented using in-scope systems or connected/integrating their own systems with AWS).
That being said, you must still conduct your own investigations and obtain PCI DSS compliance certification for your organization, be it a small business or a global corporation.
If you are confused about your responsibilities pertaining to PCI compliance, that does not mean you need to do all of the work alone. Companies such as TrustNet are there to answer your questions, help you to learn the ins and outs and support you throughout the entire PCI compliance process. Deployment of robust PCI adherence protocols is one of the best ways to protect your company and customers from breaches and other attacks and provide everyone with solid assurance of your company’s trustworthiness. Take action to safeguard your physical servers and cloud-based data today.