PCI DSS Compliance for Cloud Infrastructure

Protect Cardholder Payment Data

icon Get Compliance Check

If your organization accepts or processes payment cards and is in the cloud, you must be in compliance with PCI Data Security Standards (PCI). PCI is categorized into 6 high-level goals mapped to 12 requirements based on security best practices that addresses technical and operational components connected to cardholder data.

The following 4 goals and 7 requirements are the most relevant for organizations in the cloud.


Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are the first line of defense in protecting cardholder data. They should protect all systems from unauthorized access from untrusted networks. In AWS, this requirement primarily impacts VPCs and security groups. In particular, ensure that security groups are properly configured, such as only permitting ingress to specific ports or addresses and doing a default deny on everything else.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI's Quick Reference Guide likens failure to change default security parameters upon deployment to "leaving your store physically unlocked when you go home for the night." Such security defaults are well known by hackers and easy to find via public information. In AWS, this requirement is relevant to resources that can be used to ensure secure communications, such as ELB listeners, S3 bucket policies, and SQS policies. For example, an ELB listener protocol should be set to HTTPS instead of the default HTTP, which is insecure.


Protect Cardholder Data
Requirement 3: Protect stored cardholder data

One way to protect cardholder data is to ensure that its storage and retention are limited. PCI suggests a good rule of thumb: "Remember, if you don't need it, don't store it!" If you do need to store it, make sure data retention and backups are handled appropriately. This requirement affects AWS services such as S3 buckets, DynamoDB tables, and RDS instances. For example, make sure that data at rest is always encrypted with customer managed keys, as opposed to default encryption keys.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Another way of protecting cardholder data is to encrypt in transit. Malicious individuals can intercept or divert cardholder data sent over open networks, so organizations should render the data unreadable. Only secure protocols should be used for transport. In AWS, this requirement applies to services such as CloudFront, ELB, VPC, S3, and ElastiCache. Ensure that you are only using encrypted protocols such as HTTPS to communicate to these services.


Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know

"Need to know" means access rights are granted to an individual for the minimum privileges required to carry out their job. When access is deny-all except for these permissions, the chance of accidental exposure is mitigated. In AWS, this requirement involves IAM resources such as policies, roles, and groups.

Requirement 8: Assign a unique ID to each person with computer access

Each person with access to system components should be assigned a unique ID to ensure actions on critical data are only performed by authorized users. A secure password policy is imperative -- bad actors can compromise user accounts with nonexistent or easily guessable passwords. This requirement concerns AWS IAM password policies.


Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data

It's extremely challenging to find the cause of compromised data without system activity logs. Logging mechanisms are crucial to effective vulnerability management because they allow thorough tracking and analysis when an incident occurs. For this reason, CloudTrail trails and event log files are indispensable for complying with Requirement 10 in AWS. CloudWatch filters and metric alarms are also applicable.


Read PCI Blog

Detect Compliance Violations

Fugue continuously evaluate your cloud environments for PCI compliance violations with predefined rules mapped to PCI compliance controls. If a resource is determined as non-compliant, an alert will be sent to notify the compliance team. The compliance team can then determine whether to correct the non-compliant resource setting an established baseline for future enforcement.

Enforce Baselines with Codeless Auto-Remediation

Fugue utilizes baselines to auto-remediate and correct compliance violations via self-healing. With baseline enforcement, misconfiguration is automatically corrected back to the PCI-compliant baseline without writing automation scripts. 

Enforce Baselines with Codeless Auto-Remediation

Report on Compliance Posture

Fugue makes it easy to report on your PCI compliance posture. Detailed reports, dashboards, and visualizations are available to easily track and monitor your cloud resources. Daily or weekly reports highlighting compliant and non-compliant resources can be emailed to executives or auditors  to show proof of compliance.

PCI Compliance with Fugue

Schedule a demo to see how Fugue can help your organization ensure that your infrastructure configurations are PCI compliant.

icon Schedule A Demo