A PCI-Compliant Cloud? Not at Amazon

19 comments

cloudsThere’s an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment Card Industry Data Security Standard (PCI DSS) standard that is essential for e-commerce. Martin McKeay at the Network Security Blog recently highlighted the admission by one of the most popular cloud services, Amazon Web Services, that it does not support the highest levels of PCI compliance.

“From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant,” an Amazon representative told a customer in an exchange that was posted on an AWS web forum. A key issue is that PCI auditors are unable to inspect Amazon’s data centers. (Read on for additional information from Amazon on this issue).

McKeay’s post has prompted a fresh round of discussion of cloud computing’s ability to support PCI DSS, even as recent data breaches have raised questions about the value of PCI compliance.

“PCI compliance doesn’t automatically make a site safe,” writes Lori McVittie of F5 Networks. “Lack of PCI compliance doesn’t make EC2 unsafe, either. It means it isn’t compliant with the policies designated by the PCI council for handling credit card transactions and sensitive data. And, if we look past the hand-waving, we’ll find that Amazon admits you can’t build a PCI Level 1 compliant application using EC2 and S3, but you can build a PCI Level 2 compliant application.”

Amazon’s admission may not make it unsafe, but the way in which it was revealed is a reminder of why confusion persists about support for key compliance standards by some cloud services. Amazon’s ability to support PCI for its cloud computing customers has been questioned before, and was typically met with a vague statement about Amazon’s “commitment to provide a secure, world-class cloud computing environment.” This time the question was posed in a forum thread. Amazon didn’t respond directly on the thread, but the customer posted an email response.

UPDATE: Amazon spokesperson Kay Kinton has followed up with some comments and perspective on this discussion. “It’s important to recognize that PCI compliance is dependent on how a particular merchant uses a hosted solution like AWS and should not be linked to the overall security of AWS’ services,” Kinton writes. “Under the PCI Data Security Standard, merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service, like AWS, where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. Therefore, it is possible for a merchant to use Amazon EC2 and Amazon S3 and meet PCI compliance standards depending on their specific implementation.

“For customers who don’t have the expertise, time or otherwise don’t want responsibility of managing a fully compliant payments application, the customer can use our web service for payments, the Amazon Flexible Payments (Amazon FPS), or use solutions offered by Amazon Payments (such as Checkout by Amazon),” Kinton adds. “While these solutions address the specific needs for some customers, it does not mean that it is the only means of using Amazon Web Services in a completely compliant manner.”

Amazon is an important player in cloud computing, but its capabilities aren’t representative of all cloud services. As we’ve previously noted, several providers say they have achieved certifications for customers using cloud platforms. These include Terremark Worldwide (TMRK) which describes its Enterprise Cloud platform as “certified as PCI DSS Compliant,” and Savvis Inc. (SVVS), which offers a version of its just-in-time utility computing platform that is customized for online retailers and includes PCI solutions. For further reading, see Cloud Computing and PCI Security, a review of the topic by Michael Dahn of the PCI Blog. Dahn compares the current debate to earlier concerns about compliance in a virtualized environment.

Meanwhile, security publications have noted a recent incident in which a PCI-compliant provider, web host Network Solutions, suffered an intrusion and data breach that compromised more than 4,300 customer sites and approximately 573,928 individuals’ credit card information.

About the Author

Rich Miller is the founder and editor at large of Data Center Knowledge, and has been reporting on the data center sector since 2000. He has tracked the growing impact of high-density computing on the power and cooling of data centers, and the resulting push for improved energy efficiency in these facilities.

Add Your Comments

  • (will not be published)

19 Comments

  1. Tom

    You'd have to be INSANE to think that a "cloud" could be secured without many heavy duty layers. The lack of PCI compliance for EC2 will hopefully be a wakeup call for people pretending that this stuff works...

  2. It is surprising how much publicity gets the negative news. I think we should respect the Amazon's honesty when it comes to security compliance of their cloud platform.

  3. Jim

    I do not believe you can even build a PCI Level 2 compliant application in EC2/S3 environment. To be Level 2 compliant you need to complete the PCI Self-Assessment Questionnaire. PCI requirement 12.8.2 is in the questionnaire which would require AWS to provide a written agreement that includes an acknowledgment that the service provider (AWS) is responsible for the security of the cardholder data the service provider possess. AWS stated on this AWS web forum that they do not and will not provide this acknowledgement. I believe the bottom line is that not card data can be processed or stored in the EC2/S3 environment. If this done, PCI is not relevant.

  4. For clients that want to continue to use cloud-based services such as Amazon EC2, tokenizing sensitive data before storing it into the cloud is certainly an option - see www.nubridges.com/tokenization for more details. This would take the cloud out of PCI DSS scope.

  5. Vidur Apparao

    I believe it's important not to paint all Cloud-based systems with the same brush. Cloud-based development platforms, such as AWS, may offer different services or components, each with their own security and compliance capabilities. The PCI DSS Level 1 framework is divided into 12 different security domains some of which are just common sense security policies and should apply to any service or site, and others that are specific to storage of card data and may be too onerous for a generic cloud-based deployment or storage system. As the follow-up suggests, specific services related to payment and secure storage may be more appropriate for specific compliance needs. Cloud-based applications (aka Software-as-a-Service applications) definitely can be built to be PCI DSS Level 1 compliant. The LiveOps On-Demand Contact Center Platform (http://www.liveops.com/on-demand-contact-center/index.html), for example, implements all 12 domains of PCI - both the standard, common-sense policies, as well as the more specific requirements when handling payment data. As Lori McVittie says in the article, the fact that EC2 and S3 themselves are not PCI compliant doesn't make them unsafe. And, in fact, it's not clear that PCI compliance should be an expectation of a generic cloud-based service. However, it does make sense to expect PCI compliance for specific services or applications that are built to deal with payment, secure storage, and fulfillment. --Vidur Apparao CTO, LiveOps Inc.

  6. Having played in the PCI Space in a previous life, I have some carnal knowledge of some of the issues. One is data. data at rest, data in motion. Where does it sit physically? how is it moved? what happens when the data is no longer needed? What is the physical and logical security setting for every network, drive, port, and interconnection across the environment? Another point is access. Who (specifically) has accees to collect, see, store, and change/remove data. Ok now prove it. How about machine to machine, network to network. The issue here is more about whether or not you can prove how secure something is by access control, be it human or machine. The difference between being secure and being compliant. They are not the same. Levels of vendors. Level 1's are the big guys - think Target and Walmart. They have budgets for this kind of stuff. Level 4's are the mom and pop's of the world who have little if any budgets and are at the highest end of risk profile, yet have the fewest resources to address the risk. Case in point - a school district I worked with (Level 4) came up with a plan to compute their liability exposure in terms of records and money (based on Ponemon Institute's cost per record in a breach) and just buy an insurance policy for $100M. This is the neither secure nor compliant. I took care of it for $50K and gave them security and proof. The application of Cloud services/apps is not geared up very well for a massive scale PCI compliant offering. It's a bitch - not only to figure out, but to manage and prove, especially on a global basis.

  7. Mohan Radhakrishnan

    Though PCI regulations might be clear the auditors I have worked with are not really tech-savvy. How do you audit a massive PCI application if you don't spend time and prod and probe the application to tease out the weak points ? It looks like if we know about cryptography and basic securiy we don't need to have a PCI audit at all. Even after the PCI audit a developer of the application can easily pinpoint vulnerabilities. This probably applies to AWS also. I think developers who built the Amazon cloud infrastructure know more about security than PCI demands.

  8. If you need PCI, you can also check out OpSource. We are a certified Level 1 PCI DSS Compliant provider. We specialize in SaaS and On-Demand and manage many of today's largest applications.

  9. Perry Whelan

    Note: many AWS services (EC2, S3, EBS, & VPC) are now PCI Level 1 compliant. They posted this Dec. 07, 2010: “Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.” Ref.: http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

  10. Here is an article that I have written on this subject: http://storefrontbacktalk.com/securityfraud/thinking-of-using-amazon-cloud-and-being-pci-compliant-think-again

  11. In PCI compliancy, it is essential not to store/process the users creditcard (or other additional private/vulnerable data). If you do not post back the data to your site (in any way), meaning user is somewhere redirected, there is no need for beeing PCI compliant