If your application needs to process, store, or transmit credit card data, you are probably familiar with the Payment Card Industry Data Security Standard, otherwise known as PCI DSS. This standard specifies best practices and security controls needed to keep credit card data safe and secure during transit, processing, and storage. Among other things, it requires organizations to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong security measures, test and monitor networks on a regular basis, and to maintain an information security policy.
I am happy to announce that AWS has achieved validated Level 1 service provider status for PCI DSS. Our compliance to PCI DSS v2 has been validated as compliant by an independent Quality Security Assessor (QSA). AWS's status as a validated Level 1 Service Provider means that merchants and other service providers now have access to a computing platform that been verified to conform to PCI standards. Merchants and services providers with a need to certify against PCD DSS and to maintain their own certification can now leverage the benefits of the AWS cloud and even simplify their own PCI compliance efforts by relying on AWS's status as a validated service provider. Our validation covers the services that are typically used to manage a cardholder environment including the Amazon Elastic Compute Cloud (EC2), the Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS), and the Amazon Virtual Private Cloud (VPC).
Our Qualified Service Assessor has submitted a complete Report on Compliance and a fully executed Attestation of Compliance to Visa as of November 30, 2010. AWS will appear on Visa's list of validated service providers in the near future.
Until recently, it was unthinkable to even consider the possibility of attaining PCI compliance within a virtualized, multi-tenant environment. PCI DSS version 2.0, the newest version of DSS published in late October 2010, did provide guidance for dealing with virtualization but did not provide any guidance around multi-tenant environments. However, even without multi-tenancy guidance, we were able to work with our PCI assessor to document our security management processes, PCI controls, and compensating controls to show how our core services effectively and securely segregate each AWS customer within their own protected environment. Our PCI assessor found our security and architecture conformed with the new PCI standard and verified our compliance.
Even if your application doesn't process, store, or transmit credit card data, you should find this validation helpful since PCI DSS is often viewed as a good indicator of the ability of an organization to secure any type of sensitive data. We expect that our enterprise customers will now consider moving even more applications and critical data to the AWS cloud as a result of this announcement.
Update: Many people have asked us if they need to launch some sort of special PCI compliant environment. They do not need to do so. The entire infrastructure that supports EC2, S3, EBS and VPC is compliant and there is no separate environment or special API to use. Any server or storage object deployed in these services is in a PCI compliant environment, globally.
Learn more by reading our new PCI DSS FAQ.
-- Jeff;
A couple of questions:
Who was the QSA?
Is S3 now encrypted?
Is storage over written after deletion or is the mapping changed and then new data over writes it?
Does this mean an on-site visit to AWS is permitted when an EC2/S3 customers has to be audited for PCI violations?
What exactly are the services you got PCI compliance? hosting? or other (which shows checked on the list)?
Can you provide more details on how hosting was extended to cloud and multi-tenant was rationalized with the QSA?
Posted by: @derik66 | December 07, 2010 at 08:53 AM
Fantastic Jeff - this goes some way to solving one of the last problems with cloud based computing for application and service developers.
I remember going to a seminar by Mike Culver a few years ago that introduced me to AWS and specifically S3 and EC2 (which was mostly what AWS was back then), and thinking how it would be a reliable, cost effective, and scalable system to use for the project I was involved with at the time, a promo music delivery system aimed at DJs (on one side) and the big music companies (like Universal Music Group, our first target, on the other side).
The problem with utilising AWS as our server infrastructure was not technical, but rather it was an issues of perception within companies like UMG. In the contracts we ended up signing with them, they wanted specific information about the physical location (street address, floor, and even the security layout of the server rooms) where their content would be held and delivered by our service. The notion that it was "in the cloud" was simply not something they could grasp, and was certainly not an idea that their legal departments could imagine entertaining.
The more you and the team at AWS can address this problem, the more easily independent software and service development businesses like ours can create and sell cloud applications to both big and small businesses (although its usually the biggest businesses and their lawyers that are the most difficult to convince).
I truly believe that focusing on this segment of developers, and continuing to find ways to enable them to on-sell trust in Amazons security infrastructure will help drive AWS growth. Keep up the promising work in this area.
Posted by: EdouardPoor | December 07, 2010 at 05:16 PM
Most of these are answered in our PCI FAQs in our Security Center http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/
Jinesh
Posted by: Jinesh | December 07, 2010 at 10:57 PM
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
The QSA was IOActive, Inc.
http://www.ioactive.com/
This is not a secret so why wasn't it put in the article?
I have been through 2 PCI audits. I would love to be a fly on the wall and read through your ROC.
I assume Amazons core credit card services can be segmented from thier other networks. I don't think it was too hard for them to get thier PCI compliance. As long as thier other systems don't touch thier CreditCard servers or wherever they store thier credit card data then a QSA can consider other systems not in scope.
Posted by: NetNinja | December 07, 2010 at 10:58 PM
Is the Elastic Load Balancing functionality included in the scope of EC2 as far as compliance goes? Our ASV dings us because the Elastic Load Balancing apparently allows SSLv2.
Posted by: Aaron | December 10, 2010 at 01:12 PM
It would be great if you could publish a copy of the Level 1 Certificate of Compliance on your website / FAQs as banks and others who will be assessing our application will want to see your certificate as proof that our application is layered on a certified platform. Visa does not always publish every service provider on their list, and Amazon AWS is still not on the most recent list.
Posted by: Doug | December 30, 2010 at 05:07 PM