|
Discussion Forums
|
Thread: Does Amazon EC2 meet PCI Compliance guidelines?
 |
This question is answered.
Helpful answers available: 1.
Correct answers available: 1.
|
|
|
|
Replies:
13
-
Pages:
1
-
Last Post:
Oct 15, 2009 8:14 PM
by: lyalc
|
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 8, 2009 9:55 AM PDT
|
|
|
We're looking to move our infrastructure to EC2, but can't find any official statement regarding Amazon's PCI status.
On request, will Amazon provide a written agreement attesting compliance and assuming responsibility for cardholder data?
One of the requirements to be PCI DSS compliant is
Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
Testing Procedure12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.
Reference:
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf page 56
A service provider is defined as
“Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.”
Message was edited by: Jason Rushton
Message was edited by: Jason Rushton
|
|
Posts:
2,808
Registered:
7/10/08
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 8, 2009 12:28 PM PDT
in response to: Jason Rushton
|
 |
Helpful |
|
|
I think you'll find the opposite:
From this page:
http://aws.amazon.com/agreement/
We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services.
You agreed to that when you open an AWS account.
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 8, 2009 1:53 PM PDT
in response to: Shlomo Swidler
|
|
|
Thanks for insight, I dug through the agreement much more closely, and it does look like Amazon is taking the complete opposite stance than would be required for PCI compliance.
I would still greatly appreciate an official answer from Amazon though.
5.1.1.
Provided that you comply with the terms of thisAgreement and our policies and procedures for the use of Amazon S3, youmay use Amazon S3 to store, retrieve and serve software applications,data and/or content owned, licensed or lawfully obtained by you (all ofthe foregoing, to the extent actually stored on Amazon S3, “Your AmazonS3 Content”). You acknowledge that neither we nor our licensors areresponsible in any manner, and you are solely responsible, for yourAmazon S3 Content.
5.4.1.
Provided that you comply with the terms of this Agreement and our policies and procedures for the use of Amazon
EC2
, you may use Amazon
EC2
to execute Applications owned or lawfully obtained by you. You aresolely responsible for your Applications, including any data, text,images or content contained therein.
7.2. Security.
We strive to keep Your Content secure,but cannot guarantee that we will be successful at doing so, given thenature of the Internet. Accordingly, without limitation to Section 4.3above and Section 11.5 below, you acknowledge that you bear soleresponsibility for adequate security, protection and backup of YourContent and Applications. We strongly encourage you, where availableand appropriate, to (a) use encryption technology to protect YourContent from unauthorized access, (b) routinely archive Your Content,and (c) keep your Applications or any software that you use or run withour Services current with the latest security patches or updates. Wewill have no liability to you for any unauthorized access or use,corruption, deletion, destruction or loss of any of Your Content orApplications.
11.8. Limitations of Liability.
NEITHER
WE NOR ANY OF OUR LICENSORS SHALL BE LIABLE TO YOU FOR ANY DIRECT
, INDIRECT,
INCIDENTAL
, SPECIAL,
CONSEQUENTIAL OR EXEMPLARY DAMAGES
, INCLUDING,
BUT NOT LIMITED TO
, DAMAGES
FOR LOSS OF PROFITS
, GOODWILL,
USE
, DATA
OR OTHER LOSSES
(EVEN
IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES
) IN
CONNECTION WITH THIS AGREEMENT
, INCLUDING,
WITHOUT LIMITATION
, ANY
SUCH DAMAGES RESULTING FROM
: (i)
THE USE OR THE INABILITY TO USE THE SERVICES
; (ii)
THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES
; OR (iii)
UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR CONTENT
. IN
ANY CASE
, OUR
AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNT ACTUALLY PAID BY YOU TO US HEREUNDER FOR THE SERVICES
. SOME
JURISDICTIONSDO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OREXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES
. ACCORDINGLY,
SOME OR ALL OF THE ABOVE EXCLUSIONS OR LIMITATIONS MAY NOT APPLY TO YOU
, AND
YOU MAY HAVE ADDITIONAL RIGHTS
.
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 11, 2009 10:02 AM PDT
in response to: Jason Rushton
|
|
|
The more I look, the more it seems that it is currently not possible to meet PCI compliance using Amazon services.
I would still like to find any official statement from Amazon on whether it actually is possible to be PCI compliant using AWS, in my case EC2 and S3 specifically. If not, are there plans to provide a way for businesses that handle credit cards and thus require PCI compliance to use their services?
|
|
Posts:
5,320
Registered:
3/19/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 11, 2009 10:33 AM PDT
in response to: Jason Rushton
|
|
|
See PCI DSS 12.8: "If cardholder data is shared with service providers...". Are you planning on sharing cardholder data with Amazon? If not, then 12.8.2 does not apply.
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 11, 2009 12:07 PM PDT
in response to: Allen
|
|
|
How can storing cardholder data on s3 or an ec2 instance not constitute sharing?
Requirement 12.8.2 Maintain a written agreement that includes anacknowledgement that the service providers are responsible for thesecurity of cardholder data the service providers possess.
There's no question that Amazon would be in possession of cardholder data.
It's on their hardware running in their datacenter being managed by their employees.
|
|
Posts:
5,320
Registered:
3/19/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 11, 2009 1:31 PM PDT
in response to: Jason Rushton
|
|
|
Storing the data in encrypted form and not giving Amazon the means nor authorization to decrypt or use it definitely does not constitute "sharing".
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 12, 2009 7:37 AM PDT
in response to: Allen
|
|
|
I finally got an official answer back from Amazon staffing.
The verdict is that you cannot be fully PCI compliant on top of the cloud, and Amazon explicitly recommends NOT storing credit card information on S3/EC2.
Hi,
Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets (
http://aws.amazon.com/fps).
As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.
Regards,
Cindy S.
Amazon Web Services
http://aws.amazon.com
|
|
Posts:
6
Registered:
12/17/07
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 13, 2009 12:01 PM PDT
in response to: Jason Rushton
|
|
|
I just got another response from Amazon reconfirming the previous answer
Hi Jason,
Thanks for contacting us. I manage sales for AWS in the Southwest Region.
We are excited to hear about your interest in moving to EC2. We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data. Please see below for our general guidance on PCI compliance.
From a compliance and risk management perspective, we recommend customers not to store sensitive credit card payment information on EC2/S3 systems as they are not inherently PCI level 1 compliant. It is quite feasible one to run an entire application in AWS cloud while keeping the credit card data stored on within the local servers at the customer site, which are available for auditing, scanning, and on-site review at any time. As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3.
Flexible Payment Service (FPS), which is AWS payment system is PCI compliant and it is an “alternative payment processing service” meaning a customer’s users re-direct to our platform to conduct the payment event using their credit cards or bank accounts.
Let me know if you any follow-up questions.
Thanks, Taimur
Taimur Rashid
Account Manager
Amazon Web Services
E-mail:
taimur@amazon.com
http://aws.amazon.com
|
|
Posts:
5
Registered:
12/14/08
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 13, 2009 2:23 PM PDT
in response to: Jason Rushton
|
|
|
Hi Jason, Couple options.
Look at going with a payment service provider that stores the customers credit card information, and you access it with a token. Such as Authorize.net CIM or ARB. Using authorize as an example, you would not store any credit card information on ec2/s3 or your own servers.
The other options is to develop your own in house system, secure that on site with hardware/software, use AWS services, and connect through your own payment API. Best of luck.
|
|
Posts:
1
Registered:
5/7/06
|
|
|
Posts:
2
Registered:
8/17/09
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 17, 2009 6:36 PM PDT
in response to: AJV
|
|
|
Hmm, interesting exchange.
Amazon clearly states you CAN be PCI compliant on their system within the thread, yet somehow everyone ignore this. This is worth highlighting rather than downplaying.
You can NOT be PCI level ONE compliant - but this really only applies to banks and MAJOR retailers.
If you are that big, it is a completely different ballgame. Put this way - you will be spending $40,000+ just to be assessed for PCI compliance.
Most of us will be screwed if that happens, anyway. The Amazon data center matches all PCI requirements - the main problem is your PCI assesor can not visit it - but this is only required for the highest level - which most of us don't need.
You still need to lock down your own server and match all the procedures - but the good news is that YES, you can become properly PCI compliant on these servers at much lower cost than anywhere else.
As to having to move servers in the case of having a break-in, that is at that stage your smallest problem. After all PCI compliance of your Database center is only half of the compliance anyway.
So you basically want to get the most affordable way to become PCI compliant you can get and make sure no one can get card details from your system in which ever way you want, within the regulations.
After all PCI complaince does not only kick in if you store credit cards. Just using an open source e-commerce solution which conntects to a payment gateway in the background via an API requires PCI compliance, as it transfers credit card details without storing it.
So this thread is great news.
:)
Message was edited by: Thomas Franken
|
|
Posts:
2
Registered:
8/17/09
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Aug 17, 2009 6:59 PM PDT
in response to: Thomas Franken
|
|
|
Just to clarify - PCI level 1 compliance is not the same as the SAQ validation type you have to select, which is in fact inverted.
|
|
Posts:
1
Registered:
10/15/09
|
|
|
|
Re: Does Amazon EC2 meet PCI Compliance guidelines?
Posted:
Oct 15, 2009 8:14 PM PDT
in response to: Thomas Franken
|
|
|
Here's an important update for interested readers.
MasterCard will soon require on-site validation (i.e. QSA assessment) for Level 2 merchants.
Given the other information in this thread, no one can ever be PCI compliant on EC2.
The reason - all PCI DSS requirements apply equally, only the validation process varies between on-site assessments, and Self Assessment Questionaires.
SAQ C or D would apply to this platform.
lyalc - a QSA
|
|
|
|
