PCI Compliance scoping is hard for any company, moving payment processes to the cloud can be a great way to reduce that complexity. However, there are many factors that can cause your AWS environment to expand PCI scope larger than you intended. Before we get into those, it’s important to level set on What is PCI Compliance and How is PCI Compliance Scope Determined. Let’s briefly cover What is PCI Compliance. I could spend days going over the details of PCI, for the purposes of this article, we will hit the highlights. PCI Compliance is an industry standard established by the major card brands (e.g., VISA, MasterCard, American Express, Discover) to govern how credit card data should be handled by merchants and service providers. PCI Compliance is not a law but is required by the card brands and enforced by a company’s payment acquirer / merchant bank. For very large companies, they must hire a 3rd party, the term is typically called a QSA (or Qualified Security Assessor) to conduct an PCI assessment, all others can fill out a SAQ (self assessment questionnaire) to prove they are PCI compliant.
Next, let’s talk about PCI scope. The biggest rule in the PCI compliance standard is the fact that a company’s entire network is considered “in scope” for compliance unless its credit card systems are segmented off from the rest of the environment. This fact is a big deal to most companies and can make compliance an expensive challenge. So, in order to reduce PCI Compliance scope, a company will typically architect its payment network to isolate it from the rest of the network. To make things more difficult, the PCI Data Security Standards have very specific rules on scoping, Designing a small environment within AWS to reduce scope is just as challenging for AWS Security architects and compliance teams as for on premise security teams. Moving to AWS is not a silver bullet for compliance nor scope reduction.
Here are the 5 ‘musts’ to consider when thinking about limiting PCI scope within AWS. Any of the below items not designed securely could lead to a larger scope than intended.
#1 VPC Peering
In an AWS environment, virtual servers and databases are placed in network containers called VPCs or Virtual Private Clouds. By default, a VPC is a stand alone and isolated environment. No other VPCs or systems outside of the VPC can communicate inbound; making it a great tool to reduce PCI scope. The catch? AWS has developed something called “VPC Peering” in which a configuration setting can be enabled to bridge two VPCs together, allowing them to connect by default. A VPC can be “peered” to another VPC in the same AWS account or a totally different account. Be sure to review your environment for these peering connections.
#2 Site to Site VPN Connections
It is almost never the case that an AWS account is configured as an island in the cloud. It is almost always directly connected and routed to “corporate” using a site-to-site VPN connection. When the AWS architects do this, they essentially extend the corporate network into parts of AWS. An AWS site-to-site VPN connects a remote network (typically corporate) to an AWS VPC. When this is done, the risk is that your PCI scope has just gotten larger, not smaller. Look out for any AWS site-to-site VPNs configured.
#3 Transit Gateways
An AWS Transit Gateway is a lot like a site to site vpn connection, except that it allows for the pooling of connections into a single gateway. AWS defines a transit gateway like this: “AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway” So, as you can see the concept is very similar to a AWS site-to-site VPN. However, they are configured in different places within the AWS console, so you’ll want to be sure you cover them all.
#4 Publicly Exposed IP Addresses
Just like any network, AWS has the ability to expose systems to the Internet. These connections could be used for anything from your e-commerce website, exposed database, to a 3rd party VPN. There really is no way of knowing without investigating all of these public end points.
#5 AWS Organizations
AWS has a mechanism for companies to group and manage multiple AWS accounts from a single “master account”. This is good news from an organizational standpoint but with it also comes PCI compliance challenges. While, being part of an AWS organization does not allow for computers and data to connect between accounts, it does allow the AWS Master Account to have influence over the user access. Because of this, you’ll want to understand if your PCI AWS account is part of an AWS organization.
Conclusion
Bringing your payment workloads to AWS can be a big win for your company. Allowing you to keep cardholder data outside of the main corporate network and provide the benefits of the AWS Cloud. However, as discussed, there are considerations that you want to review to ensure your environment is secure and properly scoped for PCI compliance and scope reduction. If the thought of figuring all of this out seems like a lot of time, check out AWS Expert, its our security tool designed and developed for exactly these situations, you can get all of this information and much more in a few minutes. https://blackboxauditor.com/#focus or talk direct with us, email us at sales@blackboxauditior.com
Note: The above advise comes from a QSA who’s job is to provide guidance and advise on PCI Compliance.