AWS PCI compliance: What you should know
Everyone from technology insiders to those with minimal technical skills has heard of “the cloud,” and most have heard of Amazon Web Services or AWS too. Did you know AWS can have a significant hand in your journey toward achieving and maintaining PCI compliance? Let’s take a closer look at how your cloud provider can impact your PCI DSS needs.
How does using AWS affect your PCI compliance?
More and more companies in eCommerce and other businesses that process payments are building their networks on the cloud (with AWS or another cloud provider) as opposed to building them with physical servers.
PCI compliance is all about protecting your customers’ payment data, and there are different ways to secure that data in cloud-based networks compared to physical networks. For example, a physical network may warrant more safeguards against accessing your services like door locks and ID cards, while cloud-based networks need more protections against cyber attacks.
Whether you are transitioning your technology onto AWS or you’ve been using AWS from the start of your network’s development, the cloud provider can be a valuable asset in your PCI compliance.
How AWS can help your PCI compliance
AWS aims to make the process easier for you. If you host your network on AWS, Amazon has a variety of tools you can use to assess your compliance, identify security gaps, and create a plan to become compliant.
AWS PCI tools to help your compliance strategy
In making your network on AWS PCI DSS compliant, it’s important to have a plan to not only close security gaps you have today but also detect and close future security gaps. One way to make this simpler is by using the tools AWS has available. While several of these tools do have added costs, they may be able to save you enough time and hassle that they are worth the cost.
Amazon GuardDuty is an AWS tool that continuously monitors your AWS account. It looks for signs of potential breaches and malicious activity. GuardDuty can help you to safeguard your cloud-based network to protect your customers’ payment data, which is a key component of PCI compliance.
Amazon Inspector is a more direct Amazon cloud PCI tool that the company created to help with compliance. This automated program scans your security configuration to check for continued security compliance and identify any ways in which you may not be compliant. This is an effective way to make sure that any changes you make to your network don’t compromise your data safety or your PCI compliance.
Amazon GuardDuty and Amazon Inspector are both paid services you can add to your AWS account. AWS Artifact, on the other hand, is a free service that helps you manage these tools and other reports.
Specifically, AWS Artifact is a portal that tracks your AWS SOC and PCI reports, including reports on access controls, PCI compliance, and potential gaps in security. It is a way to make your other PCI DSS AWS services more manageable and keep all your essential reports in one place.
While the previous three tools are automated programs, AWS also offers guides that are designed to educate you rather than monitor your security for you. They provide an AWS PCI compliance workbook, developed in conjunction with a PCI compliance auditor, to help you design your AWS network in a secure and compliant way.
In addition to an AWS PCI compliance checklist, this workbook includes details about sample network architectures that have been designed within AWS to be secure and PCI compliant. You can use those sample architectures as guides while building your own network.
How do you know you can trust the AWS PCI compliant services?
PCI compliance is critical for your business. How do you know that AWS’s tools are sophisticated and accurate enough for you to rely on?
First, AWS is highly knowledgeable about the PCI compliance process. The company is a PCI DSS level one service provider. This means that they have gone through extensive onsite auditing, and continue to go through this auditing process each year, to verify that they are PCI compliant. AWS’s compliance documentation and the AWS PCI AoC, or Attestation of Compliance, are all available for anyone to review.
Second, no one knows AWS’s platform (and how to secure a network on their platform) better than AWS themselves. Their mastery of both the platform and the PCI compliance requirements makes them an established authority whose knowledge can be valuable as you pursue and maintain your own PCI compliance.
Using a toolbox of aids to make your Amazon PCI DSS compliance smoother
While the AWS PCI DSS compliant services like GuardDuty and Inspector can be great assets in your journey toward PCI compliance, they aren’t your only options. In fact, the smoothest compliance process usually comes from using a toolbox of different tools together.
AWS tools pair well with Vanta’s PCI compliance tool to evaluate your network with the PCI DSS in mind and provide you with a detailed report about what steps you need to take to secure your data.
More about PCI
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
The compliance news you need. Delivered securely to your inbox.