PCI Compliance on AWS: How AWS Supports the 12 PCI Requirements

How Do You Comply with PCI DSS on AWS? 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment. This applies to any entity that holds, processes, or exchanges cardholder data, irrespective of its size or transaction volume.

When operating on Amazon Web Services (AWS), the world’s biggest cloud provider, PCI DSS compliance refers to the adherence of the AWS platform, its services, and the workloads operated by your organization, to these security standards. According to the shared responsibility model, AWS is responsible for the security “of” the cloud, while customers are responsible for the security “in” the cloud. This means that while AWS provides a secure infrastructure and services, customers must ensure that they are implementing robust security measures within their specific environment.

To achieve PCI DSS compliance on AWS for any financial data processing or storing, you need to understand how AWS services align with the twelve PCI DSS requirements. These requirements include securing the network, protecting cardholder data, maintaining a vulnerability management program, implementing access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

Recommended Reading: What Is SIEM, Why Is It Important and 13 Key Capabilities.

Key AWS Services Relevant to PCI Compliance 

There are several AWS services that can help in establishing and maintaining compliance with the PCI DSS. We’ll review these services, and then in the following section, explain how to use them to comply with each of the 12 PCI requirements.

Amazon VPC

Amazon Virtual Private Cloud (VPC) allows you to provision a logically isolated section of the AWS Cloud. You can launch AWS resources in your own virtual network, with a secure and customizable network environment. You can select your own IP address range, create subnets, and configure route tables and network gateways. 

AWS Identity and Access Management

AWS Identity and Access Management (IAM) allows you to manage access to AWS services and resources securely. You can create and manage AWS users and groups and use permissions to allow or deny their access to AWS resources.

IAM is important for achieving robust access control measures. It lets you enforce strong password policies, manage permissions, and provide secure access to your AWS resources, thus safeguarding cardholder data.

AWS Key Management Service

AWS Key Management Service (KMS) is a managed service that helps you create and control the cryptographic keys used to encrypt your data. The encryption and decryption operations are performed within AWS KMS, providing more security for your keys. With KMS, you can encrypt data at rest and manage keys, ensuring the confidentiality and integrity of cardholder data. (It is, of course, recommended that you default to the most secure 256-bit private and 2048-bit public key encryptions.)

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to help protect your AWS accounts, workloads, and data stored in Amazon S3. It identifies unusual or unauthorized activity, such as cryptomining, credential compromise behavior, or communication with malicious IPs, URLs, or domains.

GuardDuty’s continuous security monitoring aligns with PCI DSS requirements related to regular monitoring and testing of networks. By alerting you to potential security threats, GuardDuty helps you maintain a secure network environment.

AWS CloudTrail and AWS Config

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With AWS CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides detailed views of the configuration properties of your AWS resources, and it allows you to determine overall compliance against the configurations specified in your internal guidelines.

Both CloudTrail and AWS Config play a crucial role in achieving PCI DSS Compliance, particularly in relation to the requirements for regular monitoring and testing of networks and maintaining an information security policy. By using these services, you can gain visibility into resource configuration and changes, and track access and activity in your AWS environment.

AWS S3 Security Features

AWS Simple Storage Service (S3) is a scalable storage service that provides businesses with secure, reliable, and highly-scalable object storage. With AWS S3, you can store and retrieve virtually any amount of data, at any time, from anywhere on the web.

For PCI DSS compliance, AWS S3 offers a number of features that can help secure cardholder data. These include server-side encryption (SSE) for data at rest, secure data transfer using SSL/TLS, access control policies, and logging of access requests. These features can help businesses meet several PCI DSS requirements, such as protecting stored cardholder data and tracking and monitoring all access to network resources and cardholder data.

AWS Certificate Manager

AWS Certificate Manager (ACM) is a service that simplifies the management and deployment of SSL/TLS certificates for your AWS-based websites and applications. SSL/TLS certificates are used to secure network communication and establish the identity of websites over the Internet.

For PCI DSS compliance, it is a requirement to encrypt transmission of cardholder data across open, public networks. AWS ACM can help businesses meet this requirement by providing the necessary tools to easily provision, manage, and deploy public and private SSL/TLS certificates.

AWS Systems Manager Patch Manager

AWS Systems Manager Patch Manager is a service that helps you automate the process of patching managed instances. It provides businesses with a variety of tools to aid in the patching process, such as patch compliance scanning, patch baseline creation, and patch rollout scheduling.

PCI DSS requirements necessitate the use of systems with the latest security patches to protect cardholder data. AWS Systems Manager Patch Manager can help businesses meet this requirement by providing a centralized, automated solution for patch management.

By ensuring that all systems are up-to-date with the latest security patches, businesses can reduce the risk of security vulnerabilities that could lead to data breaches. Additionally, the automated nature of AWS Systems Manager Patch Manager helps reduce the potential for human error, thereby further enhancing the security posture of a business.

AWS Artifact

AWS Artifact is a service that provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include the platform’s Payment Card Industry (PCI) Data Security Standard (DSS) Attestation of Compliance (AoC) and Responsibility Matrix (also known as PCI Shared Responsibility Matrix).

These documents can help businesses understand how AWS services map to PCI DSS requirements, and which responsibilities are managed by AWS (as the service provider) and which responsibilities fall on the business (as the customer).

AWS Security Hub

AWS Security Hub provides you with a comprehensive view of your high-priority security alerts and compliance status across your AWS accounts. With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services.

PCI DSS requires businesses to implement a process for regularly testing security systems and processes. AWS Security Hub can help businesses meet this requirement by providing continuous security checks, as well as insights into potential security issues.

How to Comply with the 12 PCI DSS Requirements on AWS 

Now, let’s step through the 12 requirements of PCI DSS and see how each of them affects the infrastructure and workloads you operate on AWS.

1. Install and Maintain a Firewall to Protect Cardholder Data

Firewalls are the first line of defense in securing cardholder data. They filter incoming and outgoing network traffic based on an organization’s previously established security policies. A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies.

AWS provides built-in firewall rules through its Security Groups feature. These rules allow you to control inbound and outbound traffic at the instance level. AWS also provides Network Access Control Lists (NACLs) for stateless traffic control at the subnet level.

AWS also provides detailed logging for your firewalls through services like AWS CloudTrail and AWS Config, enabling security teams to monitor changes and ensure firewalls remain effective.

2. Strong Passwords and Secure Configuration

Another essential aspect of PCI DSS compliance is ensuring strong access control measures. This includes using strong passwords and maintaining secure configurations.

AWS Identity and Access Management (IAM) allows you to manage access to your AWS resources. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their permissions to AWS resources. This includes enforcing password policies that require strong passwords. As an example, you can use IAM condition keys to enforce relational database service (RDS) management of the master user password in AWS Secrets Manager.

Secure configurations are also essential to protect your data. AWS provides various tools to help with this, including AWS Config, which continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

3. Protect Stored Cardholder Data

AWS provides several storage options, each with its own security features, which can help you protect stored cardholder data.

AWS S3 is one option. It allows you to enable server-side encryption for stored data. You can also use Amazon Macie, a security service that uses machine learning to automatically discover, classify, and protect sensitive data like Personally Identifiable Information (PII).

Another option is Amazon RDS, which offers several options for encrypting at-rest data in your database instances with AWS Key Management Service (KMS).

4. Encrypt Cardholder Data Transmission Across Public Networks

When transmitting cardholder data across public networks, encryption is key to maintaining its security. AWS provides built-in mechanisms to encrypt data in transit.

You can use AWS Certificate Manager (ACM) to handle SSL/TLS certificates for your applications. These certificates enable you to use HTTPS to secure your websites and applications.

AWS also provides Virtual Private Cloud (VPC) which allows you to launch AWS resources in an isolated, virtual network, with a public subnet for web servers and a secure, private subnet for databases.

5. Use and Regularly Update Anti-Virus Software

Using and regularly updating antivirus software is another requirement of PCI DSS. AWS doesn’t provide its own anti-virus solution, but there are multiple third-party anti-malware solutions available in the AWS Marketplace.

Another way to protect against malware and other cyber threats is a Cloud Access Security Broker (CASB) solution. CASBs serve as intermediaries between cloud service users and cloud service providers, offering enhanced security and compliance capabilities. They provide visibility into cloud application usage, data protection, and threat prevention. In the context of PCI DSS, a CASB can help identify and control sensitive data in the cloud, enforce security policies, and offer advanced threat protection for SaaS services used by your organization.

6. Develop and Maintain Secure Systems and Applications

Developing and maintaining secure systems and applications is a multifaceted process. It involves regular patching, monitoring, and assessment of your systems.

AWS provides several services to assist with this. AWS Systems Manager Patch Manager automates the process of patching managed instances. AWS CloudTrail provides a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services.

7. Restrict Access to Cardholder Data Based on “Need to Know”

Access to cardholder data should always be restricted based on a “need to know” basis. This is part of the principle of least privilege, meaning that each person should only have access to the data that they need to perform their job duties.

With AWS IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources. This allows you to restrict access based on “need to know”. Wherever possible, employ data masking and role-based access controls to limit exposure.

8. Unique IDs for Every Person with Computer Access

Under PCI DSS, each person with computer access should have a unique ID. AWS IAM allows you to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

AWS also allows for multi-factor authentication (MFA), providing an additional layer of security. This means that even if a user’s credentials are compromised, an attacker would still need the MFA device to access the account.

9. Restrict Physical Access to Cardholder Data

In AWS, restricting physical access to cardholder data refers to the physical security of the data centers where your data is stored. This generally falls under Amazon’s responsibility in the shared responsibility model.

AWS data centers feature a robust set of physical security measures including professional security staff, video surveillance, and intrusion detection systems. AWS also provides strong control over who has access to these facilities, ensuring that your data is physically secure.

10. Track and Monitor Access to Network and Cardholder Data

Tracking and monitoring access to network and cardholder data gives you visibility into who is accessing what data and when. This can be accomplished with services like AWS CloudTrail, which logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure.

AWS also provides Amazon GuardDuty, a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads.

11. Regularly Test Security Systems and Processes

Regular testing of security systems and processes is key to ensuring that they remain effective. AWS provides several tools to assist with this, including AWS Config, which allows you to automate the evaluation of your recorded configurations against desired configurations.

AWS also provides AWS Security Hub, which gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.

12. Maintain an Information Security Policy Affecting All Personnel

Finally, maintaining an information security policy is a PCI DSS requirement. This policy should cover all aspects of security and be communicated to all personnel.

AWS provides AWS Artifact, a portal that provides access to AWS security and compliance reports and select online agreements. These documents can be used as a basis for the AWS part of your company’s information security policy.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, achieving PCI DSS compliance on AWS requires a thoughtful approach that goes beyond leveraging built-in tools. Here are key strategies to optimize compliance and security:

Use a Dedicated VPC for the Cardholder Data Environment (CDE)

Isolate your CDE by deploying it in a dedicated Amazon Virtual Private Cloud (VPC). This minimizes risk by preventing non-PCI workloads from interacting with cardholder data.

Automate Encryption Key Rotation

AWS Key Management Service (KMS) simplifies key management, but manual rotation can lead to errors. Automate key rotation for all encrypted data, adhering to PCI DSS best practices for cryptographic key management.

Integrate AWS Security Hub with SIEM for Visibility

Use AWS Security Hub to aggregate findings from GuardDuty, Config, and other tools, then feed these into your SIEM for comprehensive monitoring. This ensures real-time compliance insights across your AWS infrastructure.

Regularly Test IAM Policies with Simulations

Use the IAM policy simulator to test and validate access controls before deploying changes. This helps avoid misconfigurations that could expose sensitive data.

Implement Network Segmentation with NACLs and Security Groups

Use Network Access Control Lists (NACLs) at the subnet level and Security Groups at the instance level to enforce layered network security. Regularly review and update rules to reflect current requirements.

PCI Compliance on AWS using Exabeam

Noncompliance with PCI standards can result in heavy fines and other consequences, such as loss of business or permission to operate in some states and nations. A Ponemon Institute study showed that more than half of customers lost trust in an organization after it suffered a data breach, and 31 percent terminated their relationship with the organization after a breach.

The AI-Driven Exabeam Security Operations Platform offers pre-built Dashboards tagged to make PCI Compliance reporting easier. Whether you are using a framework like NIST or MITRE ATT&CK^Ⓡ Exabeam offers a clear path to track your compliance and governance request needs — while all establishing what normal looks like in your environment and for every entity logged in. 

The Outcomes Navigator features in the Exabeam Platform offers continuous visualization and insight into your detection coverage and improvements made, which provides suggestions for improvements in log parsing as well as showing which sources and detections are most effective against which parts of the ATT&CK framework and use cases are most indicative of network penetration, persistence, and lateral movement.