Cloud service provider Amazon Web Services (AWS) recently announced its successful adoption of the latest PCI Data Security Standard (PCI DSS 3.2). In this blog post, we talk with Amol Sangle, Technical Compliance Program Manager, AWS, on cloud security and the importance of PCI DSS compliance in protecting customer payment data. AWS is a member of the PCI SSC Board of Advisors and will be speaking at the 2016 PCI North America Community Meeting in Las Vegas, September 20-22.
Congratulations on AWS’ adoption of PCI DSS 3.2! First, can you tell us briefly what AWS does?
Amol Sangle: AWS is a secure cloud services provider, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.
AWS also provides customers with the ability to create their own cardholder data environment (CDE) that can store, transmit or process cardholder data using AWS services. Although AWS does not directly manage the storage, transmission and processing of customer cardholder data (CHD), our compliance with PCI DSS 3.2 as a service provider enables our customers to do so in a secure and compliant manner on AWS.
How does AWS’ compliance with PCI DSS 3.2 benefit your customers?
Amol Sangle: AWS’s compliance with PCI DSS 3.2 means our customers can confidently leverage AWS products and services to meet security and compliance objectives. In validating PCI DSS compliance against the latest set of criteria, we are providing an environment to help our customers be early adopters of the new standard.
What do you see as the most common security challenges for businesses operating in the cloud?
Amol Sangle: Depending upon the cloud service and deployment model, many security implementations are shared between the cloud service provider and the system owner, and operating under this shared responsibility model can represent a technical and/or an organizational shift. Clear guidelines, like the new PCI DSS standard, helps to provide more clarity for businesses to develop and maintain a robust security control environment in the cloud.
But the cloud can actually help resolve security challenges and meet the demand for a higher level of security. For example, as companies grow and their scope expands, the complexity of managing security increases. PCI DSS has a requirement to centralize log collection and monitoring, which can be challenging when there is a high volume of logs. The AWS Cloud can help with that by providing a way to centrally collect logs and perform that monitoring function.
Additionally, since businesses span across many regional and international boundaries, it is challenging to understand and apply the various regulations and standards across the company, especially if the data location means that security controls aren’t applied as needed. For example, some local laws and regulations have strict limits around data handling and retention. Addressing multiple unique data handing laws can be difficult and time consuming for businesses operating in multiple countries. AWS gives companies a great amount of granular control over where data resides, whether they want to move it to another jurisdiction or prevent it from being moved. You also have a great amount of visibility and transparency into which controls are applied to which resources, and how those controls are operating. This granular control is greatly reducing the security and regulation risks associated with international business operations.
Can you give us a quick preview of what AWS team will be speaking about at the upcoming PCI Community Meeting?
Amol Sangle: Our presentation will cover advanced incident response techniques and security best practices for customers deploying payment environments in compliance with PCI DSS on AWS. We’ll also be discussing assessment techniques for QSAs evaluating controls of cardholder environments on AWS.