Proven 11 Step Process for PCI DSS Compliance with Amazon AWS EC2

pcipolicyportal.com – the unquestioned global leader in cloud security policy documents for PCI DSS compliance, and providers of the industry leading Cloud Computing & SaaS PCI Policy Packet Compliance Toolkit for businesses operating the Amazon AWS environment – offers up our own 11 step-process for helping businesses become compliant with the PCI DSS standards while utilizing the Amazon AWS EC2 cloud. More and more businesses are shifting to the cloud – and understandably so, as reduced costs and increased efficiencies can be had – but it’s also important to remember that PCI DSS compliance is a must, so follow our 11-step process:

1. Assess Scope
2. Include a List of Services and Tools
3. Understand the Importance of Documentation
4. Have a Plan for Security Updates
5. Conduct Security Awareness Training
6. Perform a Risk Assessment
7. Provision and Harden Cloud Systems
8. Plan for Incidents
9. You Still Have a Job to Do
10. Purchase our PCI Policy Packet:
11. Hire one of the World’s Top PCI-QSA’s

1. Assess Scope: So, you’re in the Amazon cloud – great – then to a large degree, the cardholder data environment should be relatively straightforward and easy to identify from a scoping perspective. This means it’s now time to put in place a comprehensive asset inventory of all system components in the cloud – the virtual networking devices (i.e., firewalls, routers, etc.), servers (i.e., operating systems and underlying applications), and any other applicable systems. Remember this, all good compliance initiatives, from PCI DSS to HIPAA, FISMA, SOC 1, SOC 2, and more, begin by having a comprehensive list of system components/information systems for scoping purposes.

Additionally, you can’t protect what you don’t know you have – all the more reason for using our industry leading asset inventory spreadsheet contained in our cloud compliance packet that’s available for instant download today at pcipolicyportal.com. Email us at pci@pcipolicyportal.com, or call us at 424-274-19522 to learn more about our products and services.

2. Include a List of Services and Tools: So what exactly is Amazon’s AWS EC2 platform providing – nothing more than an Infrastructure as a Service (IaaS) offering, or are you subscribing to any number of their services that can be utilized and monitored, such as CloudTrail, etc.? It’s important to assess and identity such services as they often form a critical piece of the PCI compliance puzzle.

Some services and tools can assist with PCI compliance, while others – such as database offerings – provide insight as to what’s being used from an infrastructure perspective. Amazon does provide a PCI DSS responsibility matrix, which you can access once you’re a customer, but again, what is actually covered depends on the services being provided to you by Amazon.

Keep in mind that Amazon AWC employs a concept known as the “Shared Responsibility Model”, which can be found here: https://aws.amazon.com/compliance/shared-responsibility-model/.

What this essentially means is that both parties are responsible for security, with Amazon providing resources and security for its AWS global infrastructure – specifically – its regions, availability zones and edge locations, along with compute, storage, database and networking regions. That means that you, the customer, is responsible for many other elements of your actual cloud platform. Luckily, however, Amazon provides numerous tools for managing your cloud infrastructure.

3. Understand the Importance of Documentation: From cloud-based platforms – such as Amazon – to traditional client-server environments – information security policies and procedures are a BIG part of PCI DSS compliance. In fact, they’re a big part of ALL of today’s growing compliance mandates, and it’s why obtaining a comprehensive, high-quality set of policy templates is now more important than ever. pcipolicyportal.com is the unquestioned global leader offering the very best Cloud Computing & SaaS PCI Policy Packet Compliance Toolkit, and compliance packets for instant download.

And while PCI DSS compliance – particularly in the cloud with Amazon – is technical indeed, the documentation aspect – specifically, policies and procedures – is just as important, and often just as time-consuming in terms of development. Even with Amazon sharing or outright owning responsibility for a number of the PCI DSS requirements, extensive documentation in the form of policies and procedures is still required. Qualified Security Assessors (QSA) – individuals responsible for certifying PCI DSS compliance – will request such documentation, no question about it, so be prepared.

To be clear, the need for policies and procedures for PCI DSS compliance is very important, yet just purchasing standard templates is not enough – why – because you need policies, procedures, forms, checklists, templates, and other documentation that not only maps directly to the actual PCI DSS standards, but for Amazon cloud computing.

If you don’t obtain such material, then you’re just spending dozens upon dozens of hours customizing general templates. It’s exactly why pcipolicyportal.com developed the Cloud Computing & SaaS PCI Policy Packet Compliance Toolkit and it’s available for instant download today. If you’re in the Amazon cloud and need to become PCI DSS compliant, this is the toolkit for you!

4. Have a plan for Security Updates: Patch management is an important component of PCI DSS compliance – and it’s a security best practice every business should be performing – which means developing a comprehensive plan. Amazon can’t do everything for you, and it’s ultimately your responsibility to ensure patches are being applied to all critical system components – specifically – the virtual instances and the underlying applications residing on them.

See “Managing Software on Your Linux Instance” at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-software.html and “Updating Your Windows Instance” at http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-ami-version-history.html#update-windows-instance

5. Conduct Security Awareness Training: While security awareness training is a strict mandate for PCI DSS compliance, it’s a heck of a good practice that every merchant and service provider should be undertaking, and annually. Think about it – how best does a business protect its assets – by training and educating employees on security best practices.

Amazon obviously does not provide security awareness training for merchants and service providers – but we do, with our Cloud Computing & SaaS PCI Policy Packet Compliance Toolkit – so visit pcipolicyportal.com to learn more today. Thousands of cloud businesses have turned to the experts at pcipolicyportal.com for industry leading documentation, and so should you.

6. Perform a Risk Assessment: Knowing what types of risks your business can be exposed to – and the impact they can have – is not only a critical component of PCI DSS compliance, it’s also a fundamental best practice every entity should be performing. How about the risks associated with hosting in the cloud – particularly with AWS EC2 – and the relevant risk mitigation measures you should be employing?

Do you really know the risks that could impact your business without ever performing a true risk assessment, one that looks at all issues, both operationally and from I.T. perspective? If not, you need to be undertaking such measures on an annual basis. Use our documentation, it’s simply the best material available online. Call us today at 424-274-1952 to learn more.

7. Provision and Harden Cloud Systems: Many of the actual PCI DSS requirements mandate that merchants and service providers perform a number of essential hardening and security practices, such as removing default accounts to using various security tools for monitoring. While Amazon AWS provides many of these tools, they have to be configured and enabled by YOU, so keep this in mind. Luckily, Amazon AWS provides an extensive library of documents and white papers for helping businesses understand the steps to take for such initiatives.

Most businesses build a baseline server model, then simply “spin” up another server when new space or services are needed. That’s great for efficiency, but it also means you’ll want to spend time correctly configuring that first server image, thereby not having to go back after the fact and re-configure all servers because of something that was missed. A well-trained engineer should take the time to source the high-quality server hardening documents, using them throughout the build process for ensuring nothing was left out in terms of hardening best practices.

8. Plan for Incidents: From malicious hackers to other nefarious and unlawful tactics, the bad guys are everywhere, and it’s why you’ll need to have a comprehensive incident response plan in place for containing any threats to your infrastructure. Sure, Amazon will be doing what they can, but so can you, as it’s your environment in the end. Our Cloud Computing & SaaS PCI Policy Packet Compliance Toolkit comes complete with an in-depth incident response plan program, one that’s easy to implement. Visit pcipolicyportal.com to learn more today.

9. You Still Have a Job to Do: Just because you’re in Amazon’s cloud doesn’t mean you’re removed from regulatory compliance – not at all – but they do have tools for helping manage PCI DSS certification. For starters, Requirement 9 and other notable areas are generally out of scope for your report as Amazon provides such services (Besides, Amazon does not reveal their data center locations and will NOT let you visit them anyways).

As such, Amazon employs a concept known as the “Shared Responsibility Model”, which essentially details the following: (1). Security measures that the cloud service provider (AWS) implements and operates – “security of the cloud” (2). Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services – “security in the cloud”. AWS basically adheres to the practice that they manage security “of” the cloud, but you manage security “in” the cloud. Our documents have been developed in accordance with this practice.

10. Purchase our PCI Policy Packet: Looking for an easy-to-use, well-developed set of information security policies and procedures for PCI compliance in the Amazon cloud? Then look no further than the expert documentation from the global PCI DSS policy experts at pcipolicyportal.com. We’ll save you thousands of dollars on costly compliance templates – no question about it – so download your packet today and get started.

11. Hire one of the World’s Top PCI-QSA’s: We have one of the most proven, trusted PCI-QSA’s o our staff, an individual with over a decade of experience in helping businesses become – and stay – PCI DSS compliant. If you’re looking for true expertise and expert recommendations from someone who knows the PCI DSS standards inside and out, then contact us today to set up a complimentary phone consultation.

Hiring a PCI-QSA is highly recommended for merchants and service providers new to the world of PCI DSS compliance, or simply need help navigating the complexities of the Payment Card Industry Data Security Standards. We’re here to help, so reach out to us.

Since 2009, Materdei Consulting, LLC has been helping merchants and service providers all throughout the globe in becoming complaint with the Payment Card Industry Data Security Standards (PCI DSS), and we can assist you also! Whatever your needs are in the cloud, from a PCI DSS scoping & readiness assessment to policy writing, assistance with the SAQ documents – and more – we’re ready to help. Untold numbers of companies are using the Amazon AWS infrastructure for storing, processing, and transmitting cardholder data, so contact us today to learn more at pci@pcipolicyportal.com.

We Can Write Your PCI Policies Also

Additionally, pcipolicyportal.com also offers customized policy writing services if you want us to take your documentation to the next level in terms of quality and applicability to your organization. If you don’t have the time, energy or resources for writing PCI policies and procedures, then considering turning to the experts. Since 2009, we’ve been authoring PCI policies and procedures for clients all around the globe, so call us today at 424-274-1952 to learn more.

Do you really have time to author over 50 + PCI policy templates – if not – then let us do the writing for you today! After all, who better to write your PCI DS information security policies and procedures than the firm who’s internationally known and recognized in terms of providing the very best templates and forms found anywhere?

That firm is Materdei Consulting, LLC, so visit pcipolicyportal.com today and begin the process of becoming PCI DSS complaint today. The PCI DSS mandates here to stay, so now’s the time to get compliant. Email us at pci@pcipolicyportal.com, or call us at 424-274-19522 to learn more about our products and services.

pcipolicyportal.com | Leaders for Amazon AWS ECS PCI DSS Documentation

Materdei Consulting, LLC – the founders of pcipolicyportal.com – have been deeply involved in cloud compliance before anybody really knew of the “cloud”, developing documentation for helping streamline the time-consuming process of policy and procedure development. We now have turned our attention to Amazon AWS, developing documentation that’s truly second to none.

FREE 15 Minute

PCI DSS Consultation

Talk with a licensed team member and get your PCI questions answered

No thank you, I don't have any PCI compliance questions

Book a FREE 15 Minute

PCI DSS Consultation

Talk with a licensed PCI QSA and get your compliance questions answered

100% No Cost & No Obligation