PCI compliance. You’ve heard about it. You need it, but you are not quite sure what it's about and what’s involved to achieve PCI compliance for the cloud. In this blog, we are delving deeper into PCI compliance: the requirements that are relevant for organizations in the cloud, which organizations should be concerned with PCI, and how to achieve PCI compliance for your cloud infrastructure.
What is PCI?
The Payment Card Industry Data Security Standards (PCI) is a set of guidelines that states that if you are an organization that is involved in storing, processing, or transmitting cardholder data or sensitive authentication data, PCI applies to you. You might think that this only applies to merchants doing business online. However, that is not true. PCI compliance is also applicable to financial institutions, developers of payments processing hardware and software, and other service providers involved in payment card processing, such as Amazon Web Services. If you accept or process payment cards, PCI applies to you regardless of whether you’re a small business or a large one.
Why is PCI compliance important?
Maintaining payment security is critical for organizations and the lack of due diligence in securing sensitive payment information can result in a data breach. Protecting cardholder data involves more than just locking the credit card receipts in the file cabinet at night. The distributed architecture in the cloud has introduced layers of complexity and vulnerabilities. Due to the nature of the cloud, malicious workloads can be hosted on the same virtualized resources as cardholder data, thus requiring organizations to implement extra controls to offset the risks.
PCI Compliance for Cloud Workloads
PCI is categorized into 6 high-level goals mapped to 12 requirements based on security best practices that address technical and operational components connected to cardholder data.
While all six goals are important for overall PCI compliance, the following 4 goals and 7 requirements are the most relevant for cloud compliance analysts (Figure 1 - infographic).
Here’s a deeper look at which PCI goals and requirements are especially applicable to achieving compliance in the cloud:
Build and Maintain a Secure Network and Systems
If a payment system network is not secured, malicious individuals can access it and steal cardholder data and sensitive authentication data. Network security controls are paramount for ensuring there are no gaps that would allow unauthorized traffic in or out. It's equally important to ensure that system passwords and parameters are changed from the default settings, or all the firewalls in the world won't protect your network.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are the first line of defense in protecting cardholder data. They should protect all systems from unauthorized access from untrusted networks. In AWS, this requirement primarily impacts VPCs and security groups. In particular, ensure that security groups are properly configured, such as only permitting ingress to specific ports or addresses and doing a default deny on everything else.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PCI's Quick Reference Guide likens failure to change default security parameters upon deployment to "leaving your store physically unlocked when you go home for the night." Such security defaults are well known by hackers and easy to find via public information. In AWS, this requirement is relevant to resources that can be used to ensure secure communications, such as ELB listeners, S3 bucket policies, and SQS policies. For example, an ELB listener protocol should be set to HTTPS instead of the default HTTP, which is insecure.
Protect Cardholder Data
Preventing malicious individuals from accessing sensitive payment information is one of the most important parts of PCI compliance. Not only does a compromised payment card hurt the customer, it hurts your business. Methods of protecting data include encryption, masking, and not storing cardholder data unless truly necessary.
There are two types of payment card data: Cardholder data includes the primary account number (PAN), such as the unique 16-digit number on a credit card. It may also include cardholder name, expiration date, and service code but only when processed, transmitted, or stored with a full PAN.
Sensitive authentication data refers to data that authenticates cardholders or authorizes transactions. Examples of sensitive authentication data include full magnetic-stripe or chip data, card verification codes, PINs, and PIN blocks. This information should never be stored.
Requirement 3: Protect stored cardholder data
One way to protect cardholder data is to ensure that its storage and retention are limited. PCI suggests a good rule of thumb: "Remember, if you don't need it, don't store it!" If you do need to store it, make sure data retention and backups are handled appropriately. This requirement affects AWS services such as S3 buckets, DynamoDB tables, and RDS instances. For example, make sure that data at rest is always encrypted with customer managed keys, as opposed to default encryption keys.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Another way of protecting cardholder data is to encrypt in transit. Malicious individuals can intercept or divert cardholder data sent over open networks, so organizations should render the data unreadable. Only secure protocols should be used for transport. In AWS, this requirement applies to services such as CloudFront, ELB, VPC, S3, and ElastiCache. Ensure that you are only using encrypted protocols such as HTTPS to communicate to these services.
Implement Strong Access Control Measures
The more people who have access to cardholder data, the higher the risk of a breach is. Access should be granted on a need-to-know basis to ensure the data can only be accessed by authorized personnel. By implementing access control systems, you can help prevent data from being mishandled through accident or malice -- and you can limit the potential scope of damage.
Requirement 7: Restrict access to cardholder data by business need to know
"Need to know" means access rights are granted to an individual for the minimum privileges required to carry out their job. When access is deny-all except for these permissions, the chance of accidental exposure is mitigated. In AWS, this requirement involves IAM resources such as policies, roles, and groups.
Requirement 8: Identify and authenticate access to system components
Each person with access to system components should be assigned a unique ID to ensure actions on critical data are only performed by authorized users. A secure password policy is imperative -- bad actors can compromise user accounts with nonexistent or easily guessable passwords. This requirement concerns AWS IAM password policies.
Regularly Monitor and Test Networks
The PCI Quick Reference Guide points out that "networks are the glue connecting all endpoints and servers in the payment infrastructure." Malicious actors can exploit holes in a network to access payment card applications and cardholder data, so organizations must regularly monitor networks to find and repair vulnerabilities.
Requirement 10: Track and monitor all access to network resources and cardholder data
It's extremely challenging to find the cause of compromised data without system activity logs. Logging mechanisms are crucial to effective vulnerability management because they allow thorough tracking and analysis when an incident occurs. For this reason, CloudTrail trails and event log files are indispensable for complying with Requirement 10 in AWS. CloudWatch filters and metric alarms are also applicable.
Being PCI compliant does not guarantee that you will not be hacked. However, by following the PCI guidelines, organizations do decrease their risk of data breaches. In addition, you increase the likelihood of catching a potential breach earlier than later, minimizing your exposure.
Fugue evaluates cloud resources for compliance violations and ensures continuous compliance with enterprise security policies. Fugue can help you achieve PCI compliance with your cloud infrastructure.