Aug 14 2009

Cannot achieve PCI compliance with Amazon EC2/S3

Published by at 8:22 am under PCI

I’ve long said that as it currently stands, it’s going to be nearly impossible to become PCI compliant using any of the cloud based solutions.  Scanning, auditing and even the contractual requirements of PCI guarantee that you won’t be able to be compliant if you’re using the cloud.  The good thing is that at least Amazon is being perfectly honest about this and is telling their customers that EC2 and S3 aren’t compliant solutions, instead offering up their their Flexible Payment Solution (FPS) as a way to use their services in a compliant way. 

Be wary when looking at a cloud solution for processing or storing you business’ credit card transactions.  Not all of the sales people are going to be familiar with the PCI requirements and may steer you wrong.  They may believe that their solution is perfectly secure and is compliant, without realizing how difficult the scanning, or even the contractual, requirements are for a company to meet.  But best intentions won’t be enough if you’re relying on their solution to secure your transactions and make you compliant.

Here it is, straight from the horses mouth.  Twice.

Hi,

Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets ( http://aws.amazon.com/fps).

As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.

Regards,

Amazon Web Services
http://aws.amazon.com

and

Hi Jason,

 

Thanks for contacting us.  I manage sales for AWS in the Southwest Region.

 

We are excited to hear about your interest in moving to EC2.  We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.  Please see below for our general guidance on PCI compliance.

 

From a compliance and risk management perspective, we recommend customers not to store sensitive credit card payment information on EC2/S3 systems as they are not inherently PCI level 1 compliant. It is quite feasible one to run an entire application in AWS cloud while keeping the credit card data stored on within the local servers at the customer site, which are available for auditing, scanning, and on-site review at any time.  As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3.

 

Flexible Payment Service (FPS), which is AWS payment system is PCI compliant and it is an “alternative payment processing service” meaning a customer’s users re-direct to our platform to conduct the payment event using their credit cards or bank accounts.

 

Let me know if you any follow-up questions.

 

Thanks,

 

<name removed>

Account Manager

Amazon Web Services

http://aws.amazon.com


You can view the full thread on the Amazon site.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

10 Responses to “Cannot achieve PCI compliance with Amazon EC2/S3”

  1. Ericon 14 Aug 2009 at 9:22 am

    Wow, it is really refreshing to see an honest and open approach. I’m sure after all the gossip and disagreement that the braintrust at Amazon probably thought long and hard on what approach they wished to take. I’m just glad they are taking the safe route. Sure you may get a small start-up that processes only a few dozen cards in year one, but what happens when the Digg effect occurs and the next day they become a level-one and are tied to S3? Good for them!

  2. […] more here: Network Security Blog » Cannot achieve PCI compliance with Amazon … Share and […]

  3. […] Looks like the answer to that question has been given and by one of the larger cloud providers. Network Security Blog >> Cannot achieve PCI compliance with Amazon EC2/S3 Tags: ( pci cloud […]

  4. Mike Rothmanon 14 Aug 2009 at 1:57 pm

    I could be wrong about this, but how could a customer run their entire app in the EC2 cloud, keep the credit card data on their own prem and meet a Level 1 compliance mandate? Wouldn’t processing the data put it within the cloud at some point and thus require the cloud to be subject to an on-site audit?

    You’re the QSA, bro. But that would seem to be a problem with that kind of architecture. Not sure how you are architect an application so that no PCI-protected data would ever be in the cloud.

    But I have to agree, the honesty is refreshing, but to be clear Amazon makes a LOT more money processing transactions than hosting applications and storage.

    Mike
    http://blog.eiqnetworks.com
    http://blog.securityincite.com

  5. Martinon 14 Aug 2009 at 3:38 pm

    Mike, they couldn’t, that’s the whole point. “Stores, process or transmits” is the mantra of a QSA. The only way you can be PCI Compliant while using EC2 or S3 is by never letting your cardholder data touch those systems in the first place.

    Martin

  6. robon 15 Aug 2009 at 4:08 am

    Doesn’t L2 = onsite by a QSA before 2010 since they probably meet MC definition for L2 validation last month? or better stated they are probably a L1 Service Provider as well which would require on onsite? I think Amazon should change their message and / or response, but it is refreshing to see them be proactive.

  7. […] Cannot achieve PCI compliance with Amazon EC2/S3 […]

  8. […] currently ready for merchants and PCI compliance.  Amazon knew last year that their EC2 and S3 offerings weren’t going to be able to enable merchants to be compliant.  They’re smart enough to admit it and train their staff to understand why their Cloud […]

  9. […] 2009, Martin McKeay blogged in response to verbiage from Amazon EC2′s PCI compliance statement that one cannot be compliant in that cloud. I actually think Amazon did the right thing by […]

  10. Lelalaon 13 Sep 2012 at 2:07 am

    Came accross this article due a research on Amazon Payment.
    In PCI compliancy it is essential not to store/process the users creditcard (or other additional private/vulnerable data). Thus, with Amazon Payment you are redirected to their page, the user is entering this sensitive data at Amazon, not at your site – hence you do not need a PCI compliant certificate for your site.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: