Comments on: A PCI-Compliant Cloud? Not at Amazon

By: Perry Whelan

Perry Whelan — Tue, 28 Dec 2010 21:50:10 +0000

Note: many AWS services (EC2, S3, EBS, & VPC) are now PCI Level 1 compliant. They posted this Dec. 07, 2010:

“Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.”

Ref.: http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

By: Email and sharing – technology planning | L5 Solutions

Email and sharing – technology planning | L5 Solutions — Mon, 04 Jan 2010 15:28:16 +0000

[...] credit card numbers (EC2 and S3)… In fact Amazon has come back to clarify their position on security in the cloud after the initial comments. Hosted Exchange mail with Outlook Anywhere was the first widely [...]

By: A PCI-Compliant Cloud? Not at Amazon « NewServers: Bare Metal Cloud

A PCI-Compliant Cloud? Not at Amazon « NewServers: Bare Metal Cloud — Thu, 22 Oct 2009 12:58:47 +0000

[...] http://www.datacenterknowledge.com/archives/2009/08/19/a-pci-compliant-cloud-not-at-amazon/ [...]

By: “This whole cloud thing”… The Five Big Fallacies surrounding Cloud Computing « chuck.goolsbee.org

Tue, 29 Sep 2009 04:49:15 +0000

[...] 4. Cloud computing can work for any IT need. This is more of an inference to the “everything will move to the cloud” statement I hear so often. There are several IT needs that can not be solved with cloud computing. Meeting audit requirements is one. I’ve written about this fallacy before, and it caused a bit of an uproar. It seemed to be the first time anyone brought this issue up, and it became a hot topic in the cloud blogosphere for a short time. I felt vindicated when a cloud provider admitted what I said was true. [...]

By: Interesting Cloud developments, and other technical news « C# Hacker – The Rambling Coder

Wed, 02 Sep 2009 03:17:13 +0000

[...] A PCI-Compliant Cloud? Not at Amazon [...]

By: People Over Process » The Enterprise Cloud: Who’s ready for who?

People Over Process » The Enterprise Cloud: Who’s ready for who? — Thu, 27 Aug 2009 19:38:23 +0000

[...] has more to do with enterprises being ready for the cloud vs the cloud for it. There was that PCI dust-up last week. But the point is: if enterprises wanted to use Amazon, both sides would figure out how [...]

By: Rick Lebherz

Rick Lebherz — Tue, 25 Aug 2009 19:20:58 +0000

If you need PCI, you can also check out OpSource.
We are a certified Level 1 PCI DSS Compliant provider.
We specialize in SaaS and On-Demand and manage many of today’s largest applications.

By: How to be PCI Compliant in the Cloud | Kavis Technology Consulting

How to be PCI Compliant in the Cloud | Kavis Technology Consulting — Tue, 25 Aug 2009 12:59:14 +0000

[...] has been a lot of talk lately about PCI Compliance in the cloud. Amazon even admitted that PCI Level 1 could not be [...]

By: Mohan Radhakrishnan

Mohan Radhakrishnan — Mon, 24 Aug 2009 02:40:30 +0000

Though PCI regulations might be clear the auditors I have worked with are not really tech-savvy. How do you audit a massive PCI application if you don’t spend time and prod and probe the application to tease out the weak points ?
It looks like if we know about cryptography and basic securiy we don’t need to have a PCI audit at all. Even after the PCI audit a developer of the application can easily pinpoint vulnerabilities. This probably applies to AWS also. I think developers who built the Amazon cloud infrastructure know more about security than PCI demands.

By: Mark MacAuley

Mark MacAuley — Fri, 21 Aug 2009 15:17:04 +0000

Having played in the PCI Space in a previous life, I have some carnal knowledge of some of the issues.

One is data. data at rest, data in motion. Where does it sit physically? how is it moved? what happens when the data is no longer needed? What is the physical and logical security setting for every network, drive, port, and interconnection across the environment?

Another point is access. Who (specifically) has accees to collect, see, store, and change/remove data. Ok now prove it. How about machine to machine, network to network. The issue here is more about whether or not you can prove how secure something is by access control, be it human or machine. The difference between being secure and being compliant. They are not the same.

Levels of vendors. Level 1′s are the big guys – think Target and Walmart. They have budgets for this kind of stuff. Level 4′s are the mom and pop’s of the world who have little if any budgets and are at the highest end of risk profile, yet have the fewest resources to address the risk.

Case in point – a school district I worked with (Level 4) came up with a plan to compute their liability exposure in terms of records and money (based on Ponemon Institute’s cost per record in a breach) and just buy an insurance policy for $100M. This is the neither secure nor compliant. I took care of it for $50K and gave them security and proof.

The application of Cloud services/apps is not geared up very well for a massive scale PCI compliant offering. It’s a bitch – not only to figure out, but to manage and prove, especially on a global basis.