Table of Contents

Introduction

In today's digital environment, protecting cardholder data is critical. For any organization that is involved in storing, processing, or transmitting cardholder data or sensitive authentication data, the Payment Card  Industry Data Security Standards (PCI) is applicable to you.

What is PCI?

PCI is a compliance standard for protecting payment cardholder data. The overarching goal is to develop a robust security process for payment card data that covers prevention, detection, and response to security incidents.

 

PCI-web-image

Why is PCI Important for Enterprises?

Payment security is paramount. If a bad actor gain unlimited access to cardholder data and leaks it to the internet, repercussions for organizations can include:

  • Steep fines for non-compliant requirements
  • Financial losses
  • Reputational damage
  • Lawsuits
  • Exfiltration of customer credit card information and identities

Requirements for PCI Compliance in the Cloud

ComplianceChecklist image without header

 

Want this information in a pdf? Download our free guide.

PCI-CTA-LARGE

Build and Maintain a Secure Network and Systems

If a payment system network is not secured, malicious individuals can access it and steal cardholder data and sensitive authentication data.

 

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are the first line of defense in protecting cardholder data. They should protect all systems from unauthorized access from untrusted networks. In AWS, this requirement primarily impacts VPCs and security groups.

 

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The failure to change default security parameters upon deployment is similar to leaving your store physically unlocked when you go home for the night. In AWS, this requirement is relevant to resources that can be used to ensure secure communications, such as ELB listeners, S3 bucket policies, and SQS policies.

 

Protect Cardholder Data

Preventing malicious individuals from accessing sensitive payment information is one of the most important parts of PCI compliance.  Not only does a compromised payment card hurt the customer, it also hurts your business.

 

Requirement 3: Protect stored cardholder data

One way to protect cardholder data is to ensure that its storage and retention are limited. PCI suggests a good rule of thumb: "Remember, if you don't need it, don't store it!"

 

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Another way of protecting cardholder data is to encrypt it in transit. Malicious individuals can intercept or divert cardholder data sent over open networks, so organizations should render the data unreadable.

 

PCI#2-Blog-CTA

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

The more people who have access to cardholder data, the higher the risk of a breach is. Access should be granted on a need-to-know basis to ensure the data can only be accessed by authorized personnel.

 

Requirement 8: Assign a unique ID to each person with computer access

Each person with access to system components should be assigned a unique ID to ensure actions on critical data are only performed by authorized users. A secure password policy is imperative.

 

Regularly Monitor and Test Networks

Malicious actors can exploit holes in a network to access payment card applications and cardholder data, so organizations must regularly monitor networks to identify and correct vulnerabilities.

 

Requirement 10: Track and monitor all access to network resources and cardholder data

It's extremely challenging to find the cause of compromised data without system activity logs. Logging mechanisms are crucial to effective vulnerability management because they allow thorough tracking and analysis when an incident occurs. For this reason, CloudTrail trails and event log files are indispensable for complying with Requirement 10 in AWS.

 

 

PCI-CTA-1