How to Make your Systems PCI-DSS Compliant on AWS

11 April 2018


How to Make your Systems PCI-DSS Compliant on AWS


How to Make your Systems PCI-DSS Compliant on AWS

Amazon Web Services has offered merchants and customers a new and efficient way to transact online. As merchant, you leverage on AWS to build sophisticated applications for analyzing the market, storing the resulting data and deploying your services prospective buyers. A key ingredient to succeeding with AWS is minimizing risk of data theft through the PCI compliance. For merchants running an Amazon Web Service business, PCI compliance is a steep challenge to surmount. Here then are the steps to PCI compliance.

What is PCI?

Payment Card Industry is a batch of security dictates designed to safeguard the operating environment for businesses that accept, analyze, transmit or store credit card information. The PCI security standards were established in 2006 with an aim to minimizing risks of data theft that came with the advent of online transactions.

As a merchant, you are solely responsible for implementation of the PCI DSS while the PCI DSS council administers the program and ensures it’s up to date and responsive to emerging issues in the online transaction sphere.

The Components of the PCI DSS Compliance

PCI DSS compliance mainly revolves around safeguarding any customer cardholder data which is stored by a merchant or business. While the PCI DSS documents over a hundred policies that merchants and businesses should enforce, the following areas hold the key to securing customer’s data:

  • Merchants must ensure their systems and networks have secure firewalls
  • Information related to card payment must be encrypted before storage or transmission
  • Merchants must create access controls within their systems
  • As a merchant, you must source for vulnerability management programs to regulate the security framework.
  • Merchants must monitor their networks on a continuous basis

Why it matters to be PCI DSS Compliant for AWS merchants

Amazon Web Service platform operates on a shared security responsibility model. This means that there is no CHD data processing, storage or transition on the AWS platform. As a merchant, though, you will often feed in information into AWS system which makes the system susceptible to credit card related attacks. Such transactions thus warrant that you implement protective strategies that make your IT system PCI DSS compliant.

The key system access points that are likely to be manipulated by fraudsters include;

    Unencrypted data that’s being sent over a point or network

    During the transfer of a large volume of information to the AWS cloud. The large data volumes reduce transmission rate affording thus affording attackers’ ample time to sneak in their manipulative programs.

    Operating an AWS infrastructure but failing to develop a compliance strategy.

    Lacking a multifactor authentication exposes your infrastructure and systems to outsiders.

How to make your AWS Infrastructure PCI-DSS Compliant

If you are already using Cloud as the growth vehicle for your business, there are some approaches that you can adapt to be PCI DSS compliant. Such include;

Virtual Private Cloud from Amazon

Amazon VPC lets you create a virtual network out of your AWS Cloud and use the network to store important data. The fact that the virtual network that you create with Amazon VPC resembles traditional networks means you can create your own data centers where you can store important resources.

The Amazon VPC integrates additional layers of security in the form of Secure Sockets Layer (SSL) and the more popular Transport Layer Security (TLS). The layers act as your computers’ communication points where data is exchanged between the different terminals.

It’s worthwhile to note even though the two layers safeguard the data in transit, they often slow down the rate of transition of the data across the terminals.

Elastic Load Balancing

ELB is a key component in most of the AWS-powered applications. The component routes incoming traffic to different targets to increase transmission. Elastic load balancing first checks the health status of the incoming requests before distributing them out. There are three sub-variations of ELB.

Classic Load Balancers

The connection-based Classic Load Balancers are responsible for distributing all the traffic that comes through the layers 3 and 4. CLB functions on EC2-Classic and EC2-VPC platforms and will work on any of the following protocol variations; HTTPS, HTTP, TCP, and SSL. The CLB component also allows you, the merchant, to have your personalized application cookie.

Network Load Balancers

This is a second-generation load balancer which works on the fourth layer. On receiving connections, this load balancer creates load balancer nodes which are used to distribute traffic to different targets. Network Load Balancer is fault tolerant which means clients will connect whenever there is a healthy request in line.

Application Load Balancers (ALB)

Application load balancers are best suited for microservices where traffic has to be routed to multiple services on a single EC2 instance. In contrast to Classic load balancers, application load balancers won’t support any Back-end Server Authentication. Additionally, ALB will only function on EC2-VPC platform.

How can you incorporate AWS services in your company?

Amazon Web Service allows customers to create a customized environment for safe and fast transactions online. As the business owner, AWS gifts you a cheap, secure, scalable and reliable platform to grow your digital brand. But to benefit from AWS, you need to know how to incorporate into your company.

Amazon Machine Image (AMI) – this is a configured template in the AWS that allows a merchant to create a virtual computer when you initiate ‘instances’ such as shopping cart and updating customer information.

Application programming interfaces- a point of interaction on the AWS through which clients can create and customize the cloud-based environment. The customized interface allows the customers to search for products or services that meet their needs online.

PCI compliance holds the key to success and growth of businesses based on AWS platform. While the starter stages of PCI compliance may be steep, successful implementation will open a path to continuous growth as your customers will trust you with their most sensitive data.

Ken Lynch Bio

Ken Lynch  - How to Make your Systems PCI-DSS Compliant on AWS

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at