PCI DSS Compliance Checklist on AWS

PCI DSS Compliance Checklist on AWS
Share on facebook
Share on twitter
Share on linkedin

Getting PCI DSS compliance not only implies filling a bunch of documents or installing simple firewalls. What is PCI Compliance, then? Luckily for you, you have come here to find The PCI DSS Compliance Checklist on the AWS Cloud

This PCI DSS Compliance Checklist is based on the 12 core requirements of the PCI DSS and detailed corresponds with the latest version 3.2.1 of the PCI DSS Standard. For instance, the PCI DSS —Payment Card Industry Data Security Standard— has been developed to set data protection for those companies that store, process or transmit card data, and the PCI DSS requirements are the right way to achieve them.

If you are on this PCI Compliance Checklist I assume you’re looking to get your PCI compliant App on AWS. And I am glad that you are! Since this PCI DSS Compliance Checklist is able to help any app to become AWS PCI Compliance through different PCI compliance levels.

First of all, I’ll recommend going through this resource which provides a complete introduction to PCI Compliance on AWS. This resource presents the PCI compliance meaning plus a standardized architecture on the AWS Cloud.

Why is the PCI Compliance Checklist important?

Everyone expects a secure process when doing a credit card transaction. Nobody wants their data to be stolen. PCI DSS compliance standards focus on maintaining payment security for businesses that store, process or transmit cardholder data. Through PCI DSS, technical and operational requirements of accepting or processing payment transactions are all covered.

I am completely sure that this PCI checklist will be really helpful for you. I hope you can enjoy it as much as I did!

PCI DSS Checklist: Security Goals & Requirements

We are sure this resource will be beneficial for you in your quest to build more robust apps in AWS and offer the reliability that all your customers are expecting by achieving the six goals stated by PCI, you will get bulletproof systems prepared for the significant demand of the market. 

Each of the next security goals is subdivided into requirements that make a complete set of 12 security controls that you need to integrate with AWS so that your apps become compliant with this PCI DSS Compliance Checklist. There are a total of 6 security goals and 12 requirements on this PCI Checklist that every company should follow in order to get fully compliant on the AWS Cloud.

This PCI DSS Compliance Checklist is based on 6 specific security goals:

1. Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect the Cardholder Data

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across public networks.

3. Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs.
Requirement 6: Develop and maintain secure systems and applications.

4. Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

6. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

PCI DSS Compliance Checklist

PCI DSS Compliance Checklist

In this PCI Compliance Checklist, you will find two types of needed items for each PCI requirement; these two categories are the Tech and Docs side. 

Tech side: This category refers to those technologies, tools, network controls, etc., that you should integrate on your AWS infrastructure to add security and high protection to your information assets.

Doc side: This category addresses the documented processes and configurations that PCI DSS requires you to support your security offer, as well as to make visible to all your stakeholders why your application is secure and reliable.

1. Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data.

Tech Side:

  • Configure the AWS Web Application Firewall (WAF) to protect the applications layer.

  • Create Access Control Lists for restricting access to infrastructure. 

  • Create AWS Security Groups to restrict user access for application services.

  • Enable access for applications and infrastructure only for those countries from where you need to be available in the world.

  • Store the code for applications on private repositories on AWS CodeCommit or any other code repository service like Github or Bitbucket.

  • Secure endpoints via two-factor authentication, user agent, or geo-location.

Doc Side:

  • Create a Network Security Policy document which addresses:

  • The process to approve and test all new network connections.
  • The process to approve and test changes to the firewall and router configurations.
  • A network diagram that documents all connections between the cardholder data environment and other networks, (including any wireless networks).
  • The process for updating the network diagram as required.
  • A diagram that shows all cardholder data flows across systems and networks.
  • The process for updating the data flow diagram as required.
  • The list of vulnerable services, protocols, and ports; and the security controls applied on them.
  • The plan for periodically performing reviews and maintenance on firewalls and networking rules.
  • The accepted standard for firewall configurations:
  • Controls and rules for inbound and outbound traffic.
  • Process and rules for adding new connections for external networks.
  • Owner(s) of each process.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Tech Side:

  • Configure AWS Multi-factor authentication. Ascertained it is configured for all IAM roles to access applications and infrastructure elements are enabled for all users.

Doc Side:

  • Create a Password Acceptance Policy document which addresses:

  • The process for changing the default password on services and tools.
  • The accepted standard for setting up passwords (uppercase, lowercase, symbols and numbers).
  • The process for rotating and updating passwords on a continuous basis.
  • The monitoring process to ensure that all passwords comply with defined standards.
  • The correction process for passwords that do not comply with defined standards.
  • Owner(s) of each process.
  • Create a Configuration Standard Policy document which addresses:

  • The list of system functions and the level of access they have for different services, protocols, daemons, etc.
  • The list of controls to prevent functions that require different security levels from coexisting on the same server.
  • The list of used virtualization technologies, and its corresponding function.
  • The list of server-side encrypted controls, such as SSH, VPN, SSL, etc.
  • The list of all hardware and software components inside the system, and its purpose (name, size, etc.)
  • The list of additional/extra security controls implemented on services, protocols, or daemons as required by system/application. For example, the use of secure technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services like NetBIOS, file-sharing, Telnet, FTP, etc.
  • The process for removing unnecessary services or components, to prevent misuse or vulnerabilities.
  • The process for updating the inventory of components.
  • The process for creating, maintaining, and deleting hardware and software components (what size it should have, what security and general specs it should have, how it should be deleted if required, etc.).
  • The process for securing access to wireless connections into the network.
  • Owner(s) of each process.

2. Protect the Cardholder Data

Requirement 3: Protect stored cardholder data.

Tech side:

  • Isolate your database service (either Relational Database Service (RDS), DynamoDB, Aurora Serverless, etc.) from the internet. 

  • Grant access to database services only to those IAM roles who really require it to complete their functions. 

  • Replicate all the data stored in databases across multiple zones in the cloud, so that it is not lost in case of disaster. 

  • Create periodic backups for either code and data stored on databases. 

  • Store the backups on AWS S3, and create a backup rotation approach.

  • Enable scalability and failover for your database servers in order to stay highly available to attend user demand.

Docs side:

  • Create a Data Retention and Protection Policy document which addresses:

  • The process for retaining – deleting for cardholder data (how much time the data will be stored, why it will be stored).
  • The process for monitoring the cardholder data and deleting the data is no longer used.
  • The process for managing authentication data creation – retention – deletion (accesses for apps, fingerprint access).
  • The process for tracking information such as chips, magnetic bands of cardholders, PINs, PAN numbers, and card verification codes, as well as the process for creating, changing, and deleting this kind of data.
  • The list of security controls implemented on sensitive cardholder data, accesses.
  • Owner(s) of each process.

Requirement 4: Encrypt transmission of cardholder data across public networks.

Tech side:

  • All the data stored in databases is properly encrypted. 

  • All the communication between services in the cloud is encrypted.

Docs side:

  • Create a Cryptographic Policy document which addresses:
  • The list of encryption controls implemented on sensitive data.
  • The process for implementing certificates to encrypt communication for cardholder data.
  • The accepted best practices and standards applied to encryption controls.
  • The process and requirements to access sensitive encrypted data.
  • The process to monitor, identify and eliminate vulnerabilities on encrypted data.
  • Owner(s) of each process.

Hey! If you are looking to continue reading the 12 requirements of PCI don’t forget to download the Complete Version of this PCI DSS Compliance checklist!

PCI Checklist

The Ultimate Checklist for PCI DSS Compliance on the AWS Cloud

Become PCI DSS Compliant!

The best way to fully become PCI DSS Compliant on the AWS Cloud is through the assistance of AWS and DevOps experts. We can help you implement step-by-step the 12 requirements of PCI.

Our DevOps experts have helped customers from a wide variety of industries to become PCI DSS Compliant through the implementation of PCI requirements. We are here to guide you through the journey to becoming PCI DSS Compliant!

PCI Compliant
What is GitOps

What is GitOps?

What is GitOps? Let’s start by understanding what is GitOps. Well, GitOps is a software development framework that enables organizations to continuously deliver software applications

Read More »