Deploy an AWS architecture and meet more than just secure payment requirements
Most enterprises today are either moving or planning to move their workloads to the cloud. Assisted by technological advancements, the adoption of public cloud services is growing in popularity rapidly due to the benefits they offer in terms of scalability, availability, and cost. But enterprises are often concerned about user security considerations. Are the clouds secure enough? With an increasing online presence, online payments have become an essential part of any business transaction type. This poses a big concern as the private data of credit cardholders gets exposed. Systems handling financial data are prime targets of cyber-attacks with rising credit card frauds, and there is a need to protect financial data from getting exploited. The question that now arises is -Are there enough cloud security protocols in place? Well, the answer is Yes! To ensure compliance in the cloud, we need to know about PCI DSS Compliance.
The payment card industry (PCI) is responsible for all our financial transactions, and they need to protect cardholder data (CHD) and sensitive authentication data (SAD) from unauthorized access and loss. PCI applies to all companies that process, transmit, or store cardholder data of service providers, merchants, processors, or issuers. Applications that store, process, or transmit cardholder data must be protected. Payment Card Industry (PCI) Data Security Standard (DSS) compliance is essential. Adherence to the standard means control objectives need to be met for your network; cardholder data must be protected, strong access controls must be implemented, and more.
In this post, we will learn about AWS architecture that helps support the Payment Card Industry requirements. And we will see how Amazon Web Services (AWS) can prove useful for organizations to ensure PCI DSS compliance in the cloud.
PCI DSS compliance
Financial institutions possess and process data that is highly sensitive. The PCI DSS aims to protect cardholder data (CHD) and sensitive authentication data (SAD) from unauthorized access and loss. Cardholder data includes the Primary Account Number (PAN), cardholder name, expiry date, and service code. Sensitive authentication data (SAD) contains:
- The full track data (magnetic-stripe data or equivalent on a chip)
- PINs/PIN blocks.
PCI DSS helps to ensure that companies maintain a secure environment for storing, processing, and transmitting credit card information.
Compliance Architectures and AWS cloud
AWS Cloud environment provides a standardized architecture for Payment Card Industry (PCI) Data Security Standard (DSS) compliance. AWS compliance solutions aid in streamlining, automating, and implementing secure baselines in AWS – right from initial design to operational security readiness. With the expertise of AWS solutions architects, security, and compliance personnel, these solutions help build a secure and reliable architecture through automation. Setting up this AWS Cloud environment that provides a standardized architecture for PCI DSS compliance involves using a Quick Start reference deployment guide.
This Quick Start is part of a set of AWS compliance offerings, which provide security-focused, standardized architecture solutions. It helps Managed Service Providers (MSPs), cloud-provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. The deployment guide mentions architectural considerations and steps for deploying security-focused baseline environments on the AWS cloud. Quick start mainly helps deploy a standardized environment that supports organizations with workloads that need PCI DSS compliance.
Quick Start AWS CloudFormation templates include the main template for initial setup and three optional templates for additional customization. These templates automate building a standardized baseline architecture that follows the requirements for PCI DSS. The QuickStart also includes a security controls reference (Microsoft Excel spreadsheet) that shows how the Quick Start components and configuration map to PCI DSS controls.
Architecture for PCI DSS on AWS
Deploying the Quick Start
The templates in the Quick Start automatically configure the AWS resources and deploy a multi-tier, Linux-based web application in the AWS Cloud in a few simple steps. Before deploying the Quick Start, the AWS account should be correctly setup. Then by following the instructions in the deployment guide, the standardized PCI DSS environment can be easily built in less than an hour using all four templates. The Quick Start is modular and customizable. It allows to deploy the entire architecture, or customize or omit resources.
The Figure below illustrate the main architecture:
Standard networking architecture for PCI DSS on AWS with multiple-VPC integration
The components and features of the main template deployment include:
- Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.
- PCI-compliant password policy.
- Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for the application and the database.
- Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
- A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for troubleshooting and systems administration activities.
- Network access control list (network ACL) rules to filter traffic.
- Standard security groups for EC2 instances.
Features provided by separate templates include:
- Centralized logging, monitoring, and alerts using AWS CloudTrail, AWS CloudWatch, and, optionally, AWS Config rules.
- An Amazon Relational Database Service (Amazon RDS) cluster.
- Web application architecture, with three-tier Linux web application using Auto Scaling and an Application Load Balancer, and AWS WAF, are provided by separate templates.
More and more customers are running PCI DSS compliant workloads on AWS, with many compliant applications. New security and governance tools available from AWS and the AWS Partner Network (APN) facilitate building compliance and automated security tasks so enterprises can focus on scaling up their business.
AWS is a PCI-compliant Level 1 Service Provider. Security and compliance are essential shared responsibilities between AWS and the customer. Thus, companies can use AWS with a shared responsibility model. Though it is the customers’ responsibility to maintain their PCI DSS cardholder data environment (CDE) and scope and follow compliance of all controls, the good news is that customers are not alone in this journey. AWS services provided by Managed Service Providers (MSPs) can make it easy.
Authored By: Ravindra Malpute