As a business that deals with credit card payments, the Payment Card Industry Data Security Standard is important for you and your customers. In fact, not only is PCI compliance required for businesses like yours but as it helps to prevent credit card fraud, both your business and your clients have the peace of mind that their credit card data is secure.

amazon web services compliance

However, making sure that your business is inline with PCI Compliance requirements can be one tricky and complicated task to handle. In order to be compliant, in a nutshell, you have to rely on a strong and secure network, you have to maintain a vulnerability management program, you have to maintain an information security policy and you have to test and monitor these things regularly.

That's where Amazon Web Services (AWS) might come in. Designed to support any workload, AWS offers a range of cloud-based services that your business can benefit from. Essentially, Amazon has developed a series of web services in a validated and compliant manner in order to facilitate the compliance program of its customers, reducing the impact of PCI DSS.

Through the bouquet of services offered by the Amazon Web Services, organisations in need of PCI DSS can focus their attention on a slightly reduced set of requirements, for example, a fully AWS based infrastructure would remove the need of validating physical security related requirements.

They are easy to use

Over one dozen web services from AWS are PCI DSS compliant including AWS EC2, AWS VPC and the Amazon Simple Storage Service (S3), validated by a QSA company.

The AWS VPC and AWS EC2 are the minimum set of services to be used when in need of PCI DSS compliance, and thanks to clear effectiveness of the way those tools have been designed by Amazon, putting in place a segregated and layered infrastructure would is much easier, as opposite to the typical cost of complying against sections 1 and 4 of PCI DSS (i.e.).

Additionally, one can benefit from fast and low-cost cloud storage, relational or non-relational databases that are easy to use and configure and their CloudFormation which allows you to build your infrastructure in a matter of clicks, working on designed templates. While you may not need to use everything on offer, the suite of tools is comprehensive and is likely to have almost everything you need.

What are the challenges?

The most important aspect to remind about Amazon Web Services is the fact that they don't handle the security of your software, from your applications and strictly speaking, to your operating systems. The software that you release to your users will remain your responsibility and is not automatically compliant. Amazon only takes care of a clearly defined set of requirements, and so it's up to you to cover the rest to guarantee full security to your customers.

In addition, one of Amazon Web Services' biggest benefits may actually be a risk: your overreliance on it. For example, it's very easy to become enamoured with AWS as it handles lots of things for you and it's incredibly simple to use. As a result, you'll migrate and will develop your software so that it works with AWS tools and systems. However, migrating to a different environment in the future might be difficult.

This may not even be a con for those who plan on sticking with AWS for the long haul, but for those who have big moving plans further down the line, this is something to keep in mind.

Who can benefit from using AWS?

Amazon Web Services works best for small-medium enterprises (SMEs). According to EU law, SMEs are companies that count between 10 and 250 employees and annual turnover of between €2 million and €50 million so if that's your business, AWS is probably a good fit.

AWS is also recommended if your team needs assistance with scalability or if they would like an Agile approach to their infrastructure. Scalability is one of the key points of AWS as it accommodates growing workloads with ease and is ideal when handling sustainable growth.

You wouldn't want to achieve massive growth and be stuck with a network that can't handle it. With that said, companies that already have a scalability solution in place may not want to use AWS as there's little point in moving to a service that is also built for future proofing.

Furthermore, if your company has a complex structure in place or maintains its own data centres, it's not advised for you to use AWS. Although they are easy to learn, you would have to unlearn the methods that you are already using.

Are you thinking to switch to Amazon?

There are two ways that we can help you with AWS here at Advantio.

One the one hand we can help you to migrate your company to AWS (all of our own services are integrated, apart from our website). Or, as a QSA we can validate the strength of your security, which will aid you with achieving PCI certification.

Please get in touch today if you would like us to help you. 

About this Post

The content of this article was triggered by an interview with Francesco Consiglio, CTO at Advantio. I raised some questions to him about AWS and how compliance is managed within this powerful cloud-based service. His valuable overview and experience are the foundations on which the content for this article has been written.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.