AWS Adopts New Credit Card Security Requirements
The newest security standard for credit card transactions has its first major cloud adopter in Amazon Web Services (AWS).
The credit card industry's security standards body, which is made up of major financial institutions like Visa, American Express and MasterCard, routinely publishes a set of security guidelines for all businesses and organizations that use individuals' credit card information. The guidelines, called the Payment Card Industry Data Security Standard (PCI DSS), are meant to ensure that businesses implement a certain level of security protections to safeguard consumers' personally identifiable data, as well as reduce credit card fraud.
With more and more consumers making their purchases online, as well as the fact that businesses in general are increasingly moving away from traditional on-premises computing and toward the cloud, it has become very important in recent years for cloud providers to become PCI DSS-compliant. Each of the top three cloud providers -- AWS, Google and Microsoft -- are certified to meet PCI DSS standards. However, AWS this week became the first to adopt the newest version of the PCI DSS, version 3.2, which was unveiled back in April.
"AWS is the first cloud service provider (CSP) to successfully complete the assessment against the newly released PCI Data Security Standard (PCI DSS) version 3.2," said Chad Woolf, director of risk and compliance at AWS, in a blog post Monday.
Version 3.2 of the PCI DSS replaces the current version, which expires on Oct. 31 this year. Organizations have until Feb. 1, 2018, to adopt the new version or they risk falling out of compliance. Woolf said that adopting version 3.2 so quickly out of the gate "demonstrates [AWS'] commitment to information security as our highest priority."
PCI DSS Version 3.2 includes a number of notable changes compared to its predecessor. For one, service providers are now required to enforce multifactor authentication for "for any personnel with non-console administrative access to the systems handling card data," according to a statement by Troy Leach, chief technology officer of the PCI Security Standards Council. For another, it mandates that businesses perform penetration testing on segmented environments every six months, instead of annually. Providers are also required under version 3.2 to perform quarterly reviews of their personnel to assess their adherence to security policies.
Leach outlines a number of other changes in this FAQ.
AWS qualifies as a Level 1 service provider under the PCI DSS, which means it processes a high volume of credit card transactions -- upwards of 300,000 per year. AWS counts 26 of its various cloud services as compliant with version 3.2, including Amazon Redshift, Amazon EC2, Amazon S3 and AWS Config. A full list of compliant services is available here.
AWS is also releasing an updated "compliance package," which can be obtained by filling out this form, to help its customers understand the implications of being certified for version 3.2. According to Woolf, the package includes materials that will guide customers who are:
- Planning to host a PCI Cardholder Data Environment at AWS.
- Preparing for a PCI DSS assessment.
- Assessing, documenting, and certifying the deployment of a Cardholder Data Environment on AWS.