Can Amazon Cloud Be PCI Compliant? Not Likely

Written by Peter Spier
July 10th, 2012

Peter Spier, CISSP, CRISC, CISM, PMP, QSA, PA-QSA is Manager of Professional Services at Fortrex Technologies.

Amazon’s higher end Web cloud offering is often considered one of the more secure cloud options. But a careful read of Amazon’s FAQ raises very serious compliance questions.

Let’s start with PCI’s own virtualization guidelines from June 2011: “In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE. These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.”

That seems pretty clear. In a public cloud environment—such as AWS—the retailer must be able to examine credible evidence, demonstrating that all elements of the environment are secure, and not simply rely on a third-party’s word. That includes the virtual private cloud (VPC) alternative, because even its isolated network space relies on an AWS-based infrastructure. Therefore, to effectively support merchants and service providers who choose to use their services, Amazon should readily be prepared to be forthcoming and supportive of QSA validation, right? Not quite.

This is from Amazon’s FAQ: “A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.”

Amazon takes this position despite PCI DSS version 2.0 requirement 9 validation requirements, which instruct that the QSA verify physical controls and that both the QSA and the merchant/service provider annually verify storage location security.

Perhaps compliance is still possible, if we assume the following is provided by Amazon. For example, Amazon would have to provide report on compliance (ROC) content completed within a reasonable period of time from the date of assessment, given that PCI assessments must reflect a specific point of time. Amazon would also need to detail specific control evaluations, in addition to detailing how each control applies to merchant/service provider-defined cardholder data environment scope.

But what are the odds of this happening, given that Amazon won’t permit a simple walkthrough, let alone a customer site visit?

Then again, as Amazon states on its AWS Security and Compliance Center page, “Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers.” Therein lies perhaps the most puzzling of questions for cloud service adoptees: Where exactly is your data? We can only assume, based on Amazon’s documentation, that the secrecy is “a security thing.”

In fact, datacenter providers have long grumbled at having QSAs complete walkthroughs of their facilities, and yet it happens everyday without any known case of malicious security incident. So, is Amazon to be treated as a case of some datacenters being more equal than others? Not if the merchant QSA is adhering to the ROC Reporting Instructions.

Amazon continues: “The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment.”

Hmmm. OK. Well, we know that compensating controls are used when a PCI DSS requirement cannot be met due to identified constraint and that they must also meet the intent and rigor of the original control. Notice how there is no mention of compensating control worksheets being included in the PCI Compliance Package? Perhaps if the merchant asks nicely.

Amazon is indeed offering some documentation about how its QSA has approved what Amazon has done. But what’s missing is documentation—and access—so your QSA can do the same for you.

Disagree? Would love to hear from you, either with a comment below or you can zap me an E-mail.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.