Standardized architecture for PCI DSS compliance on AWS

Deploy an AWS architecture and meet more than just secure payment requirements

Most enterprises today are either moving or planning to move their workloads to the cloud. Assisted by technological advancements, the adoption of public cloud services is growing in popularity rapidly due to the benefits they offer in terms of scalability, availability, and cost. But enterprises are often concerned about user security considerations. Are the clouds secure enough? With an increasing online presence, online payments have become an essential part of any business transaction type. This poses a big concern as the private data of credit cardholders gets exposed. Systems handling financial data are prime targets of cyber-attacks with rising credit card frauds, and there is a need to protect financial data from getting exploited. The question that now arises is -Are there enough cloud security protocols in place? Well, the answer is Yes! To ensure compliance in the cloud, we need to know about PCI DSS Compliance.

The payment card industry (PCI) is responsible for all our financial transactions, and they need to protect cardholder data (CHD) and sensitive authentication data (SAD) from unauthorized access and loss. PCI applies to all companies that process, transmit, or store cardholder data of service providers, merchants, processors, or issuers. Applications that store, process, or transmit cardholder data must be protected. Payment Card Industry (PCI) Data Security Standard (DSS) compliance is essential. Adherence to the standard means control objectives need to be met for your network; cardholder data must be protected, strong access controls must be implemented, and more.

In this post, we will learn about AWS architecture that helps support the Payment Card Industry requirements. And we will see how Amazon Web Services (AWS) can prove useful for organizations to ensure PCI DSS compliance in the cloud.

PCI DSS compliance

Financial institutions possess and process data that is highly sensitive. The PCI DSS aims to protect cardholder data (CHD) and sensitive authentication data (SAD) from unauthorized access and loss. Cardholder data includes the Primary Account Number (PAN), cardholder name, expiry date, and service code. Sensitive authentication data (SAD) contains:

  • The full track data (magnetic-stripe data or equivalent on a chip)
  • PINs/PIN blocks.

PCI DSS helps to ensure that companies maintain a secure environment for storing, processing, and transmitting credit card information.

Compliance Architectures and AWS cloud

AWS Cloud environment provides a standardized architecture for Payment Card Industry (PCI) Data Security Standard (DSS) compliance. AWS compliance solutions aid in streamlining, automating, and implementing secure baselines in AWS – right from initial design to operational security readiness. With the expertise of AWS solutions architects, security, and compliance personnel, these solutions help build a secure and reliable architecture through automation. Setting up this AWS Cloud environment that provides a standardized architecture for PCI DSS compliance involves using a Quick Start reference deployment guide.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused, standardized architecture solutions. It helps Managed Service Providers (MSPs), cloud-provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. The deployment guide mentions architectural considerations and steps for deploying security-focused baseline environments on the AWS cloud. Quick start mainly helps deploy a standardized environment that supports organizations with workloads that need PCI DSS compliance.

Quick Start AWS CloudFormation templates include the main template for initial setup and three optional templates for additional customization. These templates automate building a standardized baseline architecture that follows the requirements for PCI DSS. The QuickStart also includes a security controls reference (Microsoft Excel spreadsheet) that shows how the Quick Start components and configuration map to PCI DSS controls.

Architecture for PCI DSS on AWS

Deploying the Quick Start

The templates in the Quick Start automatically configure the AWS resources and deploy a multi-tier, Linux-based web application in the AWS Cloud in a few simple steps. Before deploying the Quick Start, the AWS account should be correctly setup. Then by following the instructions in the deployment guide, the standardized PCI DSS environment can be easily built in less than an hour using all four templates. The Quick Start is modular and customizable. It allows to deploy the entire architecture, or customize or omit resources.

The Figure below illustrate the main architecture:

Standard networking architecture for PCI DSS on AWS with multiple-VPC integration

The components and features of the main template deployment include:

  • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.
  • PCI-compliant password policy.
  • Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for the application and the database.
  • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
  • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for troubleshooting and systems administration activities.
  • Network access control list (network ACL) rules to filter traffic.
  • Standard security groups for EC2 instances.

Features provided by separate templates include:

  • Centralized logging, monitoring, and alerts using AWS CloudTrail, AWS CloudWatch, and, optionally, AWS Config rules.
  • An Amazon Relational Database Service (Amazon RDS) cluster.
  • Web application architecture, with three-tier Linux web application using Auto Scaling and an Application Load Balancer, and AWS WAF, are provided by separate templates.

More and more customers are running PCI DSS compliant workloads on AWS, with many compliant applications. New security and governance tools available from AWS and the AWS Partner Network (APN) facilitate building compliance and automated security tasks so enterprises can focus on scaling up their business.

AWS is a PCI-compliant Level 1 Service Provider. Security and compliance are essential shared responsibilities between AWS and the customer. Thus, companies can use AWS with a shared responsibility model. Though it is the customers’ responsibility to maintain their PCI DSS cardholder data environment (CDE) and scope and follow compliance of all controls, the good news is that customers are not alone in this journey. AWS services provided by Managed Service Providers (MSPs) can make it easy.

Authored By: Ravindra Malpute

Related Blogs

Cloud landing zones: Securing your enterprise cloud platform

Imagine embarking on a grand adventure into uncharted territory. You gather your supplies, map out your route, and assemble a …


5 ways to build secure and scalable cloud landing zones: Best practices for agile enterprises

In today’s digital landscape, cloud computing has become an essential component for enterprises across industries. Just last year, enterprise spending …


Secure workloads across cloud, save costs, and stay assured

Secure workloads across cloud, save costs, and stay assured Businesses today are pursuing newer ways to accelerate innovation and collaboration …

Don’t miss out!
Sign up for our newsletter to stay in the loop

Our Cookie Policy

We use cookies to make our website more user-friendly and to improve your web experience continuously. You can accept all cookies by clicking “Accept” and to find further information about what cookies we use and how we manage them, please click on Read More