Comments on: Cannot achieve PCI compliance with Amazon EC2/S3

By: The 3 Rules of Cloud Compliance | Chaordic Mind

The 3 Rules of Cloud Compliance | Chaordic Mind — Mon, 15 Nov 2010 04:46:20 +0000

[...] 2009, Martin McKeay blogged in response to verbiage from Amazon EC2′s PCI compliance statement that one cannot be compliant in that cloud. I actually think Amazon did the right thing by [...]

By: Network Security Blog » “PCI Compliance” and “Public Cloud” don’t mix

Thu, 25 Feb 2010 05:33:15 +0000

[...] currently ready for merchants and PCI compliance. Amazon knew last year that their EC2 and S3 offerings weren’t going to be able to enable merchants to be compliant. They’re smart enough to admit it and train their staff to understand why their Cloud [...]

By: Cannot achieve PCI compliance with Amazon EC2/S3 « ?????????

Cannot achieve PCI compliance with Amazon EC2/S3 « ????????? — Tue, 18 Aug 2009 10:11:40 +0000

[...] Cannot achieve PCI compliance with Amazon EC2/S3 [...]

By: rob

rob — Sat, 15 Aug 2009 12:08:47 +0000

Doesn’t L2 = onsite by a QSA before 2010 since they probably meet MC definition for L2 validation last month? or better stated they are probably a L1 Service Provider as well which would require on onsite? I think Amazon should change their message and / or response, but it is refreshing to see them be proactive.

By: Martin

Martin — Fri, 14 Aug 2009 23:38:29 +0000

Mike, they couldn’t, that’s the whole point. “Stores, process or transmits” is the mantra of a QSA. The only way you can be PCI Compliant while using EC2 or S3 is by never letting your cardholder data touch those systems in the first place.

Martin

By: Mike Rothman

Mike Rothman — Fri, 14 Aug 2009 21:57:32 +0000

I could be wrong about this, but how could a customer run their entire app in the EC2 cloud, keep the credit card data on their own prem and meet a Level 1 compliance mandate? Wouldn’t processing the data put it within the cloud at some point and thus require the cloud to be subject to an on-site audit?

You’re the QSA, bro. But that would seem to be a problem with that kind of architecture. Not sure how you are architect an application so that no PCI-protected data would ever be in the cloud.

But I have to agree, the honesty is refreshing, but to be clear Amazon makes a LOT more money processing transactions than hosting applications and storage.

Mike
http://blog.eiqnetworks.com
http://blog.securityincite.com

By: Interesting Information Security Bits for 08/14/2009 | Infosec Ramblings

Interesting Information Security Bits for 08/14/2009 | Infosec Ramblings — Fri, 14 Aug 2009 20:25:38 +0000

[...] Looks like the answer to that question has been given and by one of the larger cloud providers. Network Security Blog >> Cannot achieve PCI compliance with Amazon EC2/S3 Tags: ( pci cloud [...]

By: Network Security Blog » Cannot achieve PCI compliance with Amazon … | Hack In The Box

Fri, 14 Aug 2009 17:57:28 +0000

[...] more here: Network Security Blog » Cannot achieve PCI compliance with Amazon … Share and [...]

By: Eric

Eric — Fri, 14 Aug 2009 17:22:46 +0000

Wow, it is really refreshing to see an honest and open approach. I’m sure after all the gossip and disagreement that the braintrust at Amazon probably thought long and hard on what approach they wished to take. I’m just glad they are taking the safe route. Sure you may get a small start-up that processes only a few dozen cards in year one, but what happens when the Digg effect occurs and the next day they become a level-one and are tied to S3? Good for them!