AWS Cloud Operations & Migrations Blog

Align Business and IT to achieve and sustain PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) contains hundreds of individual requirements that apply to broad swaths of an organization’s personnel and IT landscape. PCI DSS compliance can be a challenge for customers involved with payments and for those that interact with credit and debit cardholder data. The PCI DSS refers to this as account data. This post walks you through the most common roadblocks customers face when they start considering PCI DSS compliance and provides guidance on how to envision and achieve a sustainable compliance journey.

The AWS Cloud gives teams access to new technologies and capabilities that aren’t available on-premises for securely storing and processing account data. Security and compliance objectives can be met, and often greatly enhanced, using AWS cloud services and automation capabilities. However, leaders need to understand that technology and security are not the only PCI DSS challenges to focus on when looking at compliance using the AWS cloud. Leaders need to empower their people to be successful and will need to update processes, procedures, policies, and technologies to take advantage of these opportunities.

Introduction

What is PCI DSS?
Credit cards are the most popular and convenient means of payment and are an attractive target for identity theft and fraud. Established in response to an increase in credit card fraud and identity theft, PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This is otherwise known as a defense in depth posture. Founded in 2006 by the five biggest credit card providers (MasterCard, Visa, Discover, Amex, and JCB International), the PCI DSS is managed by the PCI Security Standards Council (PCI SSC). The PCI SSC sets the requirements, and each card association is responsible for enforcement. The Council ensures that merchants, processors, acquirers, issuers, and service providers meet the required levels of security when they store, process, and transmit account data.

Why is PCI DSS required?
PCI DSS applies to all organizations that accept, transmit, or store account data, regardless of their size or number of transactions processed. They must comply with PCI DSS and can be held liable for security compromises. However, the specific requirements for becoming PCI compliant are dependent on how the organization operates. Being PCI-compliant is not a requirement by law. However, it is highly advisable that these organizations follow the regulations set by the PCI SSC to avoid any potential data infringement and hefty non-compliance fees.

What happens if companies don’t comply with PCI Standards?
Failure to meet PCI DSS requirements carries a number of risks.

  • If a merchant or service provider is non-compliant, their acquiring bank or the Card Brand(s) whose cards are impacted may revoke their ability to process payments or issue cards.
  • Both service providers and merchants could lose customer confidence and face significant reputational losses.
  • As part of their merchant agreement, companies may be subject to fines and penalties imposed by banks and payment processors.
  • Companies may face legal costs, settlements, and judgments as a result of civil lawsuits involving the loss of personal data and privacy violations.

As an example, consider the Target data breach in 2013, in which cyber criminals were able to steal 40 million credit and debit cards and 70 million customer records. The Target breach was one of the biggest security breaches in history, and cost them:

  • $10 million paid in a class action lawsuit to affected consumers in March 2015.
  • $19 million paid to Mastercard in an April 2015 settlement.
  • $67 million paid to Visa in August 2015.
  • $39.4 million paid to banks and credit unions in a December 2015 settlement.
  • $18.5 million directly in a settlement with 47 US States.

In the 2016 annual financial report, they reported that the total cost of the breach was $292 million, with a net loss of $202 million after their cyber-insurance coverage.

Common Observations

  • PCI DSS is often misunderstood as the sole responsibility of IT and Security teams. It is an organizational responsibility and impacts any line of business and supporting teams involved with payment processing. It can extend to Retail Staff, Human Resources, Governance, Risk, and Compliance teams, and more.
  • Too often, business stakeholders are left out of discussions about PCI DSS compliance, which are solely led by technical and security teams. This can result in business interruptions if technology updates cause unforeseen changes to existing business requirements. Every compliance requirement has three components: people, process, and technology. Often, with PCI DSS, the focus is on technology. Business stakeholders should be consulted from the very beginning to identify the right people and processes involved in payment activity.
  • According to Verizon’s 2022 Data Breach Investigations Report 82% of breaches involved human elements, including stolen credentials, phishing, errors, and misuse. “Front line” personnel play a critical role in the payment and account data processing lifecycle. To secure sensitive data and avoid costly security events, they must understand the importance of security controls and the business impact of non-compliance. Training employees on PCI DSS compliance requirements should be one of the first steps taken when starting this process.

Recommendations

  • Determine the extent to which the PCI DSS will impact your organization. Review all business process flows and their underlying infrastructure that involve the acceptance, storage, or processing of cardholder data. Identify all aspects of your business that need to be PCI DSS-compliant.
  • Identify the business, technology, and key stakeholders who would be responsible for or are impacted by PCI DSS compliance initiatives. Obtain senior leadership support, identify shared goals and business outcomes, develop a strategic vision, and document clear roles and responsibilities.
  • Create an end-to-end transaction workflow map that shows how card transactions are processed, how the data flows upstream and downstream, and where the data is stored. Understand where sensitive data exists so you can understand what to protect and how.
  • The AWS cloud provides far greater visibility into your workloads compared to legacy on-premises environments. This has benefits, but sometimes it can present challenges. As you have far more data readily accessible compared to your on-premise environment, your team can quickly become overwhelmed trying to filter out the important signal from the noise. Conduct a threat model and risk assessment of your PCI DSS environment to determine the security assurance you need to meet PCI DSS logging and monitoring requirements, and monitor specifically for those risk indicators.
  • Measure twice, cut once. Planning is key to preparing for PCI DSS compliance. Identify all security requirements and plan for those technical security controls in advance. This includes, but is not limited to, security elements such as logging and monitoring, vulnerability management, patching, and change detection.

Call to Action

Customers seeking guidance on achieving, maintaining, and automated compliance in the cloud should reach out to AWS Security Assurance Services (AWS SAS) or their account team. AWS SAS is a PCI QSAC and HITRUST Assessor Firm that can help by tying together applicable audit standards to AWS service specific features and functionality. They can help you build on frameworks such as PCI DSS, HITRUST CSF, NIST, SOC 2, HIPAA, ISO 27001, GDPR, and CCPA. In addition, AWS Professional Services and Advisory, can also help customers plan and map their compliance journey.

Additional Resources

AWS PCI DSS FAQs
Minimizing the PCI Compliance Burden Using Containerization, Microservices, and AWS
DevSecOps for auto healing PCI DSS 3.2.1 violations in AWS using custom AWS Config conformance packs, AWS Systems Manager and AWS CodePipeline
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS
AWS PCI 3DS
Amazon GuardDuty Security Review
The Executives Guide to Cloud Security and Compliance
Architecting Amazon EKS for PCI DSS Compliance
Architecting on Amazon ECS for PCI DSS Compliance

About the authors

Picture of author Pravita Tolanavar

Pravita Tolanavar

Pravita Tolanavar is an Advisory Consultant with 10+ years of experience in technology, consulting, risk services, financial services and audit. Pravita leverages this experience to help customers with their cloud adoption and innovation journeys, develop practical cloud strategies, and effectively lead people through the resulting cultural and workplace change.

Picture of the author Ted Tanner

Ted Tanner

Ted Tanner is a Principal Assurance Consultant and PCI DSS Qualified Security Assessor with AWS Security Assurance Services, and has more than 25 years of IT and security experience. He leverages this to provide AWS customers with guidance on compliance and security, and build and optimize their cloud compliance programs.