Amazon EC2 Achieves Payment Industry Certification

Slideshow: Amazon's Case For Enterprise Cloud Computing

Amazon Web Services says it is now capable of running Payment Card Industry (PCI) compliant transactions in its cloud infrastructure. The infrastructure is not merely a test-bed or demonstration architecture. It's been certified by a third-party auditor.

"Merchants and other service providers can now run their applications on AWS technology infrastructure to store, process, and transmit credit card information" in Amazon's EC2 cloud, said the company. AWS did not provide details on the nature of its PCI-compliant infrastructure or what customers would do differently to access it. But it said it had been audited and certified by Qualified Security Assessor, a PCI auditor, as meeting Level 1 PCI compliance.

For over a year, experts in cloud services have recognized that the Amazon platform possessed enough inherent security measures to provide a potential PCI-compliant platform. The Cloudiquity blog of Jana Technologies, a technology consulting practice based on Amazon Web Services, was willing to advise AWS customers last year on the steps they could take to build their own architecture inside Amazon, at a Level 2 -- as opposed to Level 1 -- standard of PCI compliance. AWS said Level 1 operation is at a scale of more than 300,000 transactions a year.

But it's only recently that Amazon itself has been willing to claim it can provide infrastructure needed to run transactions at Level 1 PCI compliance. It announced the infrastructure was available Dec. 7 and hasn't yet provided much detail on how customers will be able to access it. Implementation details may await PCI Data Security Standard (DSS) 2.0, which goes into force on Jan. 1. An AWS spokesman was not immediately available to respond to InformationWeek questions.

"Security has always been and will continue to be our number one priority," said Steve Schmidt, AWS chief information security officer, in the Dec. 7 announcement. "By pursuing... the PCI DSS service provider validation, we're able to give customers continued assurance that the AWS cloud is a trustworthy and secure platform on which to build and deploy business-critical applications," the announcement said.

The PCI standard requires secure network connections, encryption of transmitted data, secure data storage, firewalls between servers, antivirus protection, and malware detection, among other things. The PCI Council, which maintains the standard, recently revised it to explicitly allow the operation of virtual machines that have been secured. The Jan. 1 change simplifies the hurdles that need to be met to achieve PCI compliance in a cloud setting.

The standard won't be revised again until 2013, but inclusion of virtual machine operation in the standard will make it easier for the PCI auditing and certifying agencies to approve transaction processing in a secure cloud architecture.

As PCI 2.0 was announced in November, the PCI Council's virtualization working group specified a cloud architecture that it said would meet all the requirements of the 2.0 standard, even though the standard makes no specific reference to a cloud environment.

Chris Richter, VP of security products and services at Savvis, a managed service and cloud service provider, is a member of the working group. He said in an interview that the architecture requires firewalls, encryption, and security measures. It's described in a whitepaper titled, "PCI-Compliant Cloud Reference Architecture." The PCI Standards Council has not endorsed or commented on the white paper.

The working group intended it as an early roadmap to what, until now, has been something of a no-man's land: cloud computing as a shared facility where secure transactions may take place.