Cloud // Platform as a Service
News
12/13/2010
09:58 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Amazon EC2 Achieves Payment Industry Certification

Level 1 Payment Card Industry-compliant transaction processing systems can now be hosted by Amazon Web Services.

Slideshow: Amazon's Case For Enterprise Cloud Computing
Slideshow: Amazon's Case For Enterprise Cloud Computing
(click image for larger view and for full slideshow)
Amazon Web Services says it is now capable of running Payment Card Industry (PCI) compliant transactions in its cloud infrastructure. The infrastructure is not merely a test-bed or demonstration architecture. It's been certified by a third-party auditor.

"Merchants and other service providers can now run their applications on AWS technology infrastructure to store, process, and transmit credit card information" in Amazon's EC2 cloud, said the company. AWS did not provide details on the nature of its PCI-compliant infrastructure or what customers would do differently to access it. But it said it had been audited and certified by Qualified Security Assessor, a PCI auditor, as meeting Level 1 PCI compliance.

For over a year, experts in cloud services have recognized that the Amazon platform possessed enough inherent security measures to provide a potential PCI-compliant platform. The Cloudiquity blog of Jana Technologies, a technology consulting practice based on Amazon Web Services, was willing to advise AWS customers last year on the steps they could take to build their own architecture inside Amazon, at a Level 2 -- as opposed to Level 1 -- standard of PCI compliance. AWS said Level 1 operation is at a scale of more than 300,000 transactions a year.

But it's only recently that Amazon itself has been willing to claim it can provide infrastructure needed to run transactions at Level 1 PCI compliance. It announced the infrastructure was available Dec. 7 and hasn't yet provided much detail on how customers will be able to access it. Implementation details may await PCI Data Security Standard (DSS) 2.0, which goes into force on Jan. 1. An AWS spokesman was not immediately available to respond to InformationWeek questions.

"Security has always been and will continue to be our number one priority," said Steve Schmidt, AWS chief information security officer, in the Dec. 7 announcement. "By pursuing... the PCI DSS service provider validation, we're able to give customers continued assurance that the AWS cloud is a trustworthy and secure platform on which to build and deploy business-critical applications," the announcement said.

The PCI standard requires secure network connections, encryption of transmitted data, secure data storage, firewalls between servers, antivirus protection, and malware detection, among other things. The PCI Council, which maintains the standard, recently revised it to explicitly allow the operation of virtual machines that have been secured. The Jan. 1 change simplifies the hurdles that need to be met to achieve PCI compliance in a cloud setting.

The standard won't be revised again until 2013, but inclusion of virtual machine operation in the standard will make it easier for the PCI auditing and certifying agencies to approve transaction processing in a secure cloud architecture.

As PCI 2.0 was announced in November, the PCI Council's virtualization working group specified a cloud architecture that it said would meet all the requirements of the 2.0 standard, even though the standard makes no specific reference to a cloud environment.

Chris Richter, VP of security products and services at Savvis, a managed service and cloud service provider, is a member of the working group. He said in an interview that the architecture requires firewalls, encryption, and security measures. It's described in a whitepaper titled, "PCI-Compliant Cloud Reference Architecture." The PCI Standards Council has not endorsed or commented on the white paper.

The working group intended it as an early roadmap to what, until now, has been something of a no-man's land: cloud computing as a shared facility where secure transactions may take place.

Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.