Amazon EC2 Achieves Payment Industry Certification
Level 1 Payment Card Industry-compliant transaction processing systems can now be hosted by Amazon Web Services.
Slideshow: Amazon's Case For Enterprise Cloud Computing
(click image for larger view and for full slideshow)
Amazon Web Services says it is now capable of running Payment Card Industry (PCI) compliant transactions in its cloud infrastructure. The infrastructure is not merely a test-bed or demonstration architecture. It's been certified by a third-party auditor.
"Merchants and other service providers can now run their applications on AWS technology infrastructure to store, process, and transmit credit card information" in Amazon's EC2 cloud, said the company. AWS did not provide details on the nature of its PCI-compliant infrastructure or what customers would do differently to access it. But it said it had been audited and certified by Qualified Security Assessor, a PCI auditor, as meeting Level 1 PCI compliance.
For over a year, experts in cloud services have recognized that the Amazon platform possessed enough inherent security measures to provide a potential PCI-compliant platform. The Cloudiquity blog of Jana Technologies, a technology consulting practice based on Amazon Web Services, was willing to advise AWS customers last year on the steps they could take to build their own architecture inside Amazon, at a Level 2 -- as opposed to Level 1 -- standard of PCI compliance. AWS said Level 1 operation is at a scale of more than 300,000 transactions a year.
But it's only recently that Amazon itself has been willing to claim it can provide infrastructure needed to run transactions at Level 1 PCI compliance. It announced the infrastructure was available Dec. 7 and hasn't yet provided much detail on how customers will be able to access it. Implementation details may await PCI Data Security Standard (DSS) 2.0, which goes into force on Jan. 1. An AWS spokesman was not immediately available to respond to InformationWeek questions.
"Security has always been and will continue to be our number one priority," said Steve Schmidt, AWS chief information security officer, in the Dec. 7 announcement. "By pursuing... the PCI DSS service provider validation, we're able to give customers continued assurance that the AWS cloud is a trustworthy and secure platform on which to build and deploy business-critical applications," the announcement said.
The PCI standard requires secure network connections, encryption of transmitted data, secure data storage, firewalls between servers, antivirus protection, and malware detection, among other things. The PCI Council, which maintains the standard, recently revised it to explicitly allow the operation of virtual machines that have been secured. The Jan. 1 change simplifies the hurdles that need to be met to achieve PCI compliance in a cloud setting.
The standard won't be revised again until 2013, but inclusion of virtual machine operation in the standard will make it easier for the PCI auditing and certifying agencies to approve transaction processing in a secure cloud architecture.
As PCI 2.0 was announced in November, the PCI Council's virtualization working group specified a cloud architecture that it said would meet all the requirements of the 2.0 standard, even though the standard makes no specific reference to a cloud environment.
Chris Richter, VP of security products and services at Savvis, a managed service and cloud service provider, is a member of the working group. He said in an interview that the architecture requires firewalls, encryption, and security measures. It's described in a whitepaper titled, "PCI-Compliant Cloud Reference Architecture." The PCI Standards Council has not endorsed or commented on the white paper.
The working group intended it as an early roadmap to what, until now, has been something of a no-man's land: cloud computing as a shared facility where secure transactions may take place.
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.