Amazon EC2 Achieves Payment Industry Certification
Level 1 Payment Card Industry-compliant transaction processing systems can now be hosted by Amazon Web Services.
Slideshow: Amazon's Case For Enterprise Cloud Computing
(click image for larger view and for full slideshow)
Amazon Web Services says it is now capable of running Payment Card Industry (PCI) compliant transactions in its cloud infrastructure. The infrastructure is not merely a test-bed or demonstration architecture. It's been certified by a third-party auditor.
"Merchants and other service providers can now run their applications on AWS technology infrastructure to store, process, and transmit credit card information" in Amazon's EC2 cloud, said the company. AWS did not provide details on the nature of its PCI-compliant infrastructure or what customers would do differently to access it. But it said it had been audited and certified by Qualified Security Assessor, a PCI auditor, as meeting Level 1 PCI compliance.
For over a year, experts in cloud services have recognized that the Amazon platform possessed enough inherent security measures to provide a potential PCI-compliant platform. The Cloudiquity blog of Jana Technologies, a technology consulting practice based on Amazon Web Services, was willing to advise AWS customers last year on the steps they could take to build their own architecture inside Amazon, at a Level 2 -- as opposed to Level 1 -- standard of PCI compliance. AWS said Level 1 operation is at a scale of more than 300,000 transactions a year.
But it's only recently that Amazon itself has been willing to claim it can provide infrastructure needed to run transactions at Level 1 PCI compliance. It announced the infrastructure was available Dec. 7 and hasn't yet provided much detail on how customers will be able to access it. Implementation details may await PCI Data Security Standard (DSS) 2.0, which goes into force on Jan. 1. An AWS spokesman was not immediately available to respond to InformationWeek questions.
"Security has always been and will continue to be our number one priority," said Steve Schmidt, AWS chief information security officer, in the Dec. 7 announcement. "By pursuing... the PCI DSS service provider validation, we're able to give customers continued assurance that the AWS cloud is a trustworthy and secure platform on which to build and deploy business-critical applications," the announcement said.
The PCI standard requires secure network connections, encryption of transmitted data, secure data storage, firewalls between servers, antivirus protection, and malware detection, among other things. The PCI Council, which maintains the standard, recently revised it to explicitly allow the operation of virtual machines that have been secured. The Jan. 1 change simplifies the hurdles that need to be met to achieve PCI compliance in a cloud setting.
The standard won't be revised again until 2013, but inclusion of virtual machine operation in the standard will make it easier for the PCI auditing and certifying agencies to approve transaction processing in a secure cloud architecture.
As PCI 2.0 was announced in November, the PCI Council's virtualization working group specified a cloud architecture that it said would meet all the requirements of the 2.0 standard, even though the standard makes no specific reference to a cloud environment.
Chris Richter, VP of security products and services at Savvis, a managed service and cloud service provider, is a member of the working group. He said in an interview that the architecture requires firewalls, encryption, and security measures. It's described in a whitepaper titled, "PCI-Compliant Cloud Reference Architecture." The PCI Standards Council has not endorsed or commented on the white paper.
The working group intended it as an early roadmap to what, until now, has been something of a no-man's land: cloud computing as a shared facility where secure transactions may take place.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.