PCI DSS over AWS

What is PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard
administered by the PCI Security Standards Council, which was founded by American Express, Discover
Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication
data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated
by the card brands and administered by the Payment Card Industry Security Standards Council.

AWS and PCI DSS

Amazon Web Services (AWS) is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment
available. The compliance assessment was conducted by Coalfire Systems Inc., an independent Qualified
Security Assessor (QSA). The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are
available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance
reports.

For the list of AWS services that are PCI DSS compliant, see the link below under PCI Tab:

https://aws.amazon.com/compliance/services-in-scope/

AWS QuickStart to achieve PCI DSS Compliance

By following the instructions in the deployment guide, the standardized PCI DSS environment can be easily
built through templates. The QuickStart is modular and customizable. It allows to deploy the entire
architecture or customize or omit resources.

The components and features of the main template deployment include:

 Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with
associated groups, roles, and instance profiles.
 PCI-compliant password policy.
 Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for
different application tiers and private (back-end) subnets for the application and the database.
 Managed network address translation (NAT) gateways to allow outbound internet access for
resources in the private subnets.
 A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for
troubleshooting and systems administration activities.
 Network access control list (network ACL) rules to filter traffic.
 Standard security groups for EC2 instances.

Features provided by separate templates include:

 Centralized logging, monitoring, and alerts using AWS CloudTrail, AWS CloudWatch, and, optionally,
AWS Config rules.
PCI DSS Checklist: Security Goals & Requirements
To build more robust apps in AWS and offer the reliability that all your customers are expecting by achieving
the six goals stated by PCI, you will get bulletproof systems prepared for the significant demand of the market. 

Each of the next security goals is subdivided into requirements that make a complete set of 12 security
controls that you need to integrate with AWS so that your apps become compliant with this PCI DSS
Compliance Checklist.

This PCI DSS Compliance Checklist is based on 6 specific security goals:

1. Build and Maintain a Secure Network and Systems
2. Protect the Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

PCI DSS Compliance Fulfilment Examples over AWS:

For each item in PCI Compliance Checklist, you need two types of needed items for each PCI requirement;
these two categories are the Tech and Docs side. 

Tech side: This category refers to those technologies, tools, network controls, etc., that you should integrate
on your AWS infrastructure to add security and high protection to your information assets.

Doc side: This category addresses the documented processes and configurations that PCI DSS requires you to
support your security offer, as well as to make visible to all your stakeholders why your application is secure
and reliable.

Following examples below show how to achieve your goal for a PCI DSS compliant infrastructure over AWS.

Requirement 1: Build and Maintain a Secure Network and Systems - Install and maintain a firewall
configuration to protect the cardholder data.

Tech Side:

 Configure the AWS Web Application Firewall (WAF) to protect the applications layer.
 Create Access Control Lists for restricting access to infrastructure. 
 Create AWS Security Groups to restrict user access for application services.
 Enable access for applications and infrastructure only for those countries from where you need to be
available in the world.
 Store the code for applications on private repositories on AWS CodeCommit or any other code
repository service like Github or Bitbucket.
 Secure endpoints via two-factor authentication, user agent, or geo-location.

Doc Side:

 Create a Network Security Policy document which addresses the process to approve and test all new
network connections. The process to approve and test changes to the firewall and router
configurations.
 A network diagram that documents all connections between the cardholder data environment and
other networks, (including any wireless networks).
  The process for updating the network diagram as required.
 A diagram that shows all cardholder data flows across systems and networks.
 The process for updating the data flow diagram as required.
 The list of vulnerable services, protocols, and ports; and the security controls applied on them.
 The plan for periodically performing reviews and maintenance on firewalls and networking rules.
 The accepted standard for firewall configurations:
 Controls and rules for inbound and outbound traffic.
 Process and rules for adding new connections for external networks.
 Owner(s) of each process.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters.

Tech Side:

 Configure AWS Multi-factor authentication. Ascertained it is configured for all IAM roles to access
applications and infrastructure elements are enabled for all users.

Doc Side:

 Create a Password Acceptance Policy document which addresses:

 The process for changing the default password on services and tools.
 The accepted standard for setting up passwords (uppercase, lowercase, symbols and numbers).
 The process for rotating and updating passwords on a continuous basis.
 The monitoring process to ensure that all passwords comply with defined standards.
 The correction process for passwords that do not comply with defined standards.
 Owner(s) of each process.
 Create a Configuration Standard Policy document which addresses:
 The list of system functions and the level of access they have for different services, protocols,
daemons, etc.
 The list of controls to prevent functions that require different security levels from coexisting on the
same server.
 The list of used virtualization technologies, and its corresponding function.
 The list of server-side encrypted controls, such as SSH, VPN, SSL, etc.
 The list of all hardware and software components inside the system, and its purpose (name, size, etc.)
 The list of additional/extra security controls implemented on services, protocols, or daemons as
required by system/application. For example, the use of secure technologies such as SSH, S-FTP, SSL,
or IPSec VPN to protect insecure services like NetBIOS, file-sharing, Telnet, FTP, etc.
 The process for removing unnecessary services or components, to prevent misuse or vulnerabilities.
 The process for updating the inventory of components.
 The process for creating, maintaining, and deleting hardware and software components (what size it
should have, what security and general specs it should have, how it should be deleted if required,
etc.).
 The process for securing access to wireless connections into the network.
 Owner(s) of each process.

Requirement 3: Protect the Cardholder Data

Tech side:

 Isolate your database service (Relational Database Service (RDS), DynamoDB, Aurora Serverless, etc.)
from the internet. 
 Grant access to database services only to those IAM roles who really require it to complete their
functions. 
  Replicate all the data stored in databases across multiple zones in the cloud, so that it is not lost in
case of disaster. 
 Create periodic backups for either code or data stored on databases. 
 Store the backups on AWS S3 and create a backup rotation approach.
 Enable scalability and failover for your database servers in order to stay highly available to attend user
demand.

Docs side:

 Create a Data Retention and Protection Policy document which addresses:

 The process for retaining – deleting for cardholder data (how much time the data will be stored, why
it will be stored).
 The process for monitoring the cardholder data and deleting the data is no longer used.
 The process for managing authentication data creation – retention – deletion (accesses for apps,
fingerprint access).
 The process for tracking information such as chips, magnetic bands of cardholders, PINs, PAN
numbers, and card verification codes, as well as the process for creating, changing, and deleting this
kind of data.
 The list of security controls implemented on sensitive cardholder data, accesses.
 Owner(s) of each process.
 Requirement 4: Encrypt transmission of cardholder data across public networks.
 Tech side:
 All the data stored in databases is properly encrypted. 
 All the communication between services in the cloud is encrypted.
 Docs side:
 Create a Cryptographic Policy document which addresses:
 The list of encryption controls implemented on sensitive data.
 The process for implementing certificates to encrypt communication for cardholder data.
 The accepted best practices and standards applied to encryption controls.
 The process and requirements to access sensitive encrypted data.
 The process to monitor, identify and eliminate vulnerabilities on encrypted data.
 Owner(s) of each process.

PCI DSS AWS Enablers

 Amazon Guard Duty: This is a managed threat detection service that detects, monitors, and reports
malicious or unauthorized activity or an instance where there is a possible account compromise. It
does not have any upfront cost, and customers pay only for the events analyzed by Guard Duty.
 AWS Artifact: AWS Artifact is an audit and compliance portal that allows access to AWS compliance
reports such as Service Organization Control (SOC) reports, PCI reports, and other certification from
accredited bodies. It also provides access to agreements such as Business Associate Addendum (BAA)
and the Non-Disclosure Agreement (NDA).
 Amazon Inspector: Amazon Inspector operates on a set of knowledge-based rules that are mapped by
definitions of vulnerability and security best practices. It is an automated service that runs on
applications that are deployed on AWS and detects whether they are vulnerable to a security breach.
Amazon Inspector then produces a report detailing a list of security findings prioritized by level of
severity.
Compliance is a Shared Responsibility
Security and Compliance is a shared responsibility between AWS and the customer. This shared model can
help relieve the customer’s operational burden as AWS operates, manages and controls the components from
the host operating system and virtualization layer down to the physical security of the facilities in which the
service operates. The customer assumes responsibility and management of the guest operating system
(including updates and security patches), other associated application software as well as the configuration of
the AWS provided security group firewall.