Comments on: Using Amazon EC2 for PCI DSS compliant applications http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/ A blog about Cloud, Grid and HPC technologies Mon, 07 Jun 2010 14:44:11 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: admin http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-299 admin Sat, 22 Aug 2009 15:59:29 +0000 http://www.cloudiquity.com/?p=359#comment-299 Yes, Amazon Have now made a statement on PCI compliance - http://developer.amazonwebservices.com/connect/message.jspa?messageID=139547#139662 Yes, Amazon Have now made a statement on PCI compliance – http://developer.amazonwebservices.com/connect/message.jspa?messageID=139547#139662

]]> By: Jason Rushton http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-266 Jason Rushton Fri, 14 Aug 2009 15:59:15 +0000 http://www.cloudiquity.com/?p=359#comment-266 Thank you for the great post You inspired me to directly confront Amazon on where they stand with PCI compliance which led to Amazon confirming that you cannot in fact be PCI Level 1 compliant using AWS services: http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960 Some highlights: "It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance." "we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant" 2nd response: "We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data." "we recommend customers not to store sensitive credit card payment information on EC2/S3 systems as they are not inherently PCI level 1 compliant" Thank you for the great post

You inspired me to directly confront Amazon on where they stand with PCI compliance which led to Amazon confirming that you cannot in fact be PCI Level 1 compliant using AWS services:

http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960

Some highlights:

“It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance.”

“we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant”

2nd response:

“We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.”

“we recommend customers not to store sensitive credit card payment information on EC2/S3 systems as they are not inherently PCI level 1 compliant”

]]> By: admin http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-239 admin Thu, 23 Jul 2009 14:43:23 +0000 http://www.cloudiquity.com/?p=359#comment-239 Amazon web services have publicaly stated that they are working with a public accounting firm to provide SAS70 Type II ceritification. http://developer.amazonwebservices.com/connect/entry!default.jspa?categoryID=152&externalID=1697 We are not aware of the of any timelines or of the certification completion date. Amazon web services have publicaly stated that they are working with a public accounting firm to provide SAS70 Type II ceritification.

http://developer.amazonwebservices.com/connect/entry!default.jspa?categoryID=152&externalID=1697

We are not aware of the of any timelines or of the certification completion date.

]]> By: Matt Dean http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-238 Matt Dean Wed, 22 Jul 2009 12:08:28 +0000 http://www.cloudiquity.com/?p=359#comment-238 You mentioned in the post that Amazon will be able to provide a SAS70 Type 2 Audit Statement in July. Do you know whether they're still on track to achieve that? You mentioned in the post that Amazon will be able to provide a SAS70 Type 2 Audit Statement in July. Do you know whether they’re still on track to achieve that?

]]> By: admin http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-237 admin Wed, 08 Jul 2009 18:47:17 +0000 http://www.cloudiquity.com/?p=359#comment-237 One of the requirements to be PCI DSS compliant is Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. Testing Procedure12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data. Reference: https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf page 56 A service provider is defined as “Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.” Reference: https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf page 12 I am not a lawyer but Amazon does not provide any written guarantee to the above affect. See another blog discussion http://www.mckeay.net/2008/11/02/pci-compliance-in-the-cloud-get-it-in-writing/ I don’t think any other general Cloud company provides the above guarantee. So the solution to look for SaaS PCC DSS client service rather than running your own service in the cloud infrastructure. One of the requirements to be PCI DSS compliant is

Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

Testing Procedure12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.

Reference: https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf page 56

A service provider is defined as
“Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.”

Reference: https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf page 12

I am not a lawyer but Amazon does not provide any written guarantee to the above affect.

See another blog discussion
http://www.mckeay.net/2008/11/02/pci-compliance-in-the-cloud-get-it-in-writing/

I don’t think any other general Cloud company provides the above guarantee. So the solution to look for SaaS PCC DSS client service rather than running your own service in the cloud infrastructure.

]]> By: Demi http://www.cloudiquity.com/2009/04/using-amazon-ec2-for-pci-dss-compliant-applications/comment-page-1/#comment-235 Demi Thu, 02 Jul 2009 16:43:54 +0000 http://www.cloudiquity.com/?p=359#comment-235 Hi Cloudiquity I am looking at how to get a company PCI DSS compliant. This seems like a big headache for companies who want to offer card payment options to customers - I am a cloud advocate so I was wondering if there are any 'all in one' cloud services a company could subscribe to to manage card payments so that no cardholder data is required to be stored at the company and the cloud provider can meet the PCI CSS requirements? I envision embedding a card payment service in to whatever webapp triggers the need to collect some card holder data. Apologies if I am a little ignorant - I am new to the PCI DSS reqs and the technology to meet them thanks Demi Hi Cloudiquity

I am looking at how to get a company PCI DSS compliant.

This seems like a big headache for companies who want to offer card payment options to customers – I am a cloud advocate so I was wondering if there are any ‘all in one’ cloud services a company could subscribe to to manage card payments so that no cardholder data is required to be stored at the company and the cloud provider can meet the PCI CSS requirements?

I envision embedding a card payment service in to whatever webapp triggers the need to collect some card holder data.

Apologies if I am a little ignorant – I am new to the PCI DSS reqs and the technology to meet them

thanks
Demi

]]>