Contact Us

How to be PCI compliant with AWS services

Written by Airwalk Reply Senior Security Consultant Dave Wilson

In an era where retail eCommerce sales are projected to reach a staggering $7.4 trillion by 2025, the secure handling of customer payment information has become paramount. 

Airwalk Reply is a leading AWS Partner As organisations increasingly embrace public cloud environment services like Amazon Web Services (AWS), ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS) is more critical than ever.

In this article, we will delve into the core principles of PCI DSS compliance within AWS and explore the range of AWS services that can impact the security efforts of your organisation to achieve PCI compliance.

By understanding these services and strategies, organisations can take proactive measures to safeguard cardholder data, enhance their security posture, and meet their PCI DSS obligations effectively.

Why the need for cloud PCI compliance?

As public cloud adoption continues to accelerate, the need for PCI cloud compliance to  securely handle sensitive customer payment information has never been more critical. The Payment Card Industry Data Security Standard is a set of information security requirements that detail the security controls that must be applied by organisations that consume, process, and store credit card data. 

The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is an independent body formed in 2006 by major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB.

It is important to note that the specific compliance requirements may vary based on factors such as the volume of transactions processed, the organisation's level of involvement with cardholder data, and the card brands' individual compliance programmes. 

What are the PCI categories?

Organisations are categorised into different levels (1 to 4) based on their annual transaction volume, and each level has specific compliance requirements and validation procedures. However, all levels are expected to conduct quarterly network scans using an Approved Scanning Vendor (ASV).

Ensuring that your AWS cloud infrastructure is compliant with the standard not only helps mitigate the risk of data breaches and financial losses but also fosters trust among customers, partners, and regulatory bodies. 

PCI DSS compliance is not mandatory for all organisations, only those that process card payments and is a requirement of the card brands themselves. Failure to comply can result in fines, increased transaction fees, restrictions, or even the termination of the organisation's ability to process card payments.

Achieving PCI DSS Compliance in AWS

In the context of consuming Amazon Web Services (AWS) to build the infrastructure required to host your product, PCI DSS like many other frameworks relies on the shared responsibility model published by AWS. 

It's important for customers to thoroughly understand their responsibilities and ensure that they implement the necessary security controls and best practices to achieve and maintain PCI DSS compliance on AWS. 

In this section, we’ll discuss some of the AWS services that can be deployed by clients to support compliance with the PCI DSS Standard.

How to be PCI compliant using AWS services?

To achieve PCI DSS compliance in AWS, consider the following steps:

Understand the Shared Responsibility Model: Familiarise yourself with the responsibilities shared between AWS and your organisation. AWS manages the security of the cloud, while you're responsible for securing your applications and data within the AWS environment.

Identify Applicable PCI DSS Requirements: Determine which PCI DSS requirements are relevant to your organisation based on your involvement with cardholder data and transaction volume. This will help you prioritise and focus your compliance efforts.

Implement Security Controls: Deploy appropriate AWS services and features to enforce necessary security controls. For example, use AWS Web Application Firewall (WAF) to protect web applications and AWS Config to monitor and enforce configurations.

Maintain Configuration Compliance: Continuously monitor and track your resource configurations to ensure they align with PCI DSS requirements. Leverage AWS Config to automate compliance checks and maintain a history of configuration states.

Enable Logging and Monitoring: Utilise AWS services like CloudTrail and GuardDuty to capture comprehensive audit trails and detect security threats in real-time. Integrate with SIEM tools to enhance your security operations capabilities.

Conduct Regular Audits: Perform internal audits to assess your compliance status and identify any gaps or areas for improvement. Consider leveraging AWS Audit Manager to streamline and centralise your audit process.

Engage with Compliance Experts: If needed, seek assistance from AWS consulting partners like Airwalk Reply who specialise in AWS security and compliance. They can provide guidance, support, and expertise to help you achieve and maintain PCI DSS compliance.

Remember that achieving and maintaining PCI DSS compliance is an ongoing process. Regularly review and update your security measures to address evolving threats and changes in your environment.

AWS Artifact

In the first instance, it is always beneficial for AWS customers to know that the services that they are deploying as part of their solution are in fact PCI DSS compliant. 

AWS Artifact simplifies the process of accessing and managing compliance documentation, providing customers with the necessary resources to support their PCI DSS compliance efforts, these can include PCI attestation documents and responsibility summaries. 

It enhances transparency, streamlines audits, and helps organisations maintain an up-to-date understanding of AWS' compliance with PCI DSS.

AWS Web Application Firewall

Perimeter controls are an important layer in any comprehensive security strategy and AWS WAF can play an important role for organisations operating in the public cloud space. 

The AWS WAF is a flexible solution that can be deployed as part of a CloudFront distribution, integrated with your Application Load Balancers, or directly on to an API Gateway. 

Once deployed, organisations can benefit from AWS’ centrally managed rule groups that are regularly updated to address emerging security risks. 

Additionally, organisations can also benefit from implementing their own custom rules that enforce specific HTTP methods, secure headers, or the filtering of known patterns in malicious traffic. 

AWS Config

Configuration monitoring is also a mainstay in any public cloud security strategy and AWS has the perfect tool for the job in AWS Config. 

By utilising AWS Config an organisation can enhance their visibility into resource configurations, monitor changes, automate compliance checks, and maintain a history of configuration states. 

By enabling AWS Config, organisations can gain visibility into their resource configurations, track changes, and ensure that configurations align with PCI DSS requirements. This includes monitoring security groups, IAM policies, encryption settings, and other relevant configurations. 

Moreover, organisations can also use this tool to create configuration rules that evaluate custom config rules which are used to evaluate deployment configurations against desired or mandated requirements.

AWS Lambda

Continuous compliance is also an important pillar and AWS Lambda can play a vital role when deployed in conjunction with AWS Config which can be used to trigger Lambdas when a rule is deemed non-compliant. 

This enables organisations to automatically correct misconfigurations or enforce policy requirements in near real-time. 

For example, if an S3 bucket is deemed to be open to the public, an automated remediation action can be triggered to modify the ACL on the bucket and restrict access.

AWS GuardDuty, CloudTrail, and Security Hub

A comprehensive logging and monitoring programme is also key when aiming for PCI DSS compliance in the public cloud. 

AWS supports this through its GuardDuty and CloudTrail services. GuardDuty provides real-time threat detection capabilities specific to PCI DSS which can be leveraged by incident teams to reduce their detection times to threats.

Additionally, CloudTrail supports compliance through the provision of comprehensive audit trails and integration capabilities with well-established third-party SIEM and analysis tools that can improve SOC capabilities. 

AWS has also added support for PCI DSS in Security Hub which can be configured to conduct automatic checks against the security requirements of the standard relevant to the AWS services deployed in your estate. 

There’s also a Security score feature for the Security Hub standard, which can help support preparations for PCI DSS assessment.

AWS Audit Manager

Establishing an audit checklist can also be a difficult task, especially when an organisation is transitioning to AWS. 

Fortunately, AWS’ Audit Manager service has a pre-built audit framework specifically for PCI DSS. This framework includes a prebuilt collection of controls with descriptions and testing procedures. 

These controls are grouped into control sets according to PCI DSS requirements and are completely customisable. By using this service as the baseline for all PCI DSS audits in your AWS estate your organisation can create centralised and consistent audit artefacts directly within AWS itself.

The tip of the PCI DSS Iceberg

This blog post has briefly touched on some of the most important AWS services that can supercharge your PCI DSS compliance inside AWS. 

However, as with any robust security strategy, this is only a flavour of what is possible when leveraging AWS and in future blog posts, we’ll aim to discuss further options such as landing zone design decisions, service control policies, IAM strategies, and more. 

Get support with a PCI compliance service provider 

Are you looking for expert support to achieve and maintain PCI compliance in your AWS environment? 

Airwalk Reply is your trusted partner for seamless AWS PCI compliance.

Our team of certified professionals specialises in AWS security and compliance, including PCI DSS requirements. 

We understand the complexities of PCI compliance and can guide you through the entire process, from initial assessment to implementation and ongoing compliance management.

With Airwalk Reply, you can benefit from:

  • Deep expertise in AWS services
  • Robust security controls
  • Proven strategies to protect your cardholder data and meet PCI DSS obligations. 

We'll work closely with your organisation, tailoring our approach to your specific needs and ensuring a smooth and successful compliance journey.

Trust Airwalk Reply to provide the knowledge, experience, and support you need to achieve and maintain PCI compliance in your AWS environment.

Contact us today to get started and secure your payment card data with confidence.

Cloud Security Learn more