Amazon EC2 Achieves Payment Industry Certification - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Platform as a Service
09:58 PM
Connect Directly

Amazon EC2 Achieves Payment Industry Certification

Level 1 Payment Card Industry-compliant transaction processing systems can now be hosted by Amazon Web Services.

Slideshow: Amazon's Case For Enterprise Cloud Computing
Slideshow: Amazon's Case For Enterprise Cloud Computing
(click image for larger view and for full slideshow)
Amazon Web Services says it is now capable of running Payment Card Industry (PCI) compliant transactions in its cloud infrastructure. The infrastructure is not merely a test-bed or demonstration architecture. It's been certified by a third-party auditor.

"Merchants and other service providers can now run their applications on AWS technology infrastructure to store, process, and transmit credit card information" in Amazon's EC2 cloud, said the company. AWS did not provide details on the nature of its PCI-compliant infrastructure or what customers would do differently to access it. But it said it had been audited and certified by Qualified Security Assessor, a PCI auditor, as meeting Level 1 PCI compliance.

For over a year, experts in cloud services have recognized that the Amazon platform possessed enough inherent security measures to provide a potential PCI-compliant platform. The Cloudiquity blog of Jana Technologies, a technology consulting practice based on Amazon Web Services, was willing to advise AWS customers last year on the steps they could take to build their own architecture inside Amazon, at a Level 2 -- as opposed to Level 1 -- standard of PCI compliance. AWS said Level 1 operation is at a scale of more than 300,000 transactions a year.

But it's only recently that Amazon itself has been willing to claim it can provide infrastructure needed to run transactions at Level 1 PCI compliance. It announced the infrastructure was available Dec. 7 and hasn't yet provided much detail on how customers will be able to access it. Implementation details may await PCI Data Security Standard (DSS) 2.0, which goes into force on Jan. 1. An AWS spokesman was not immediately available to respond to InformationWeek questions.

"Security has always been and will continue to be our number one priority," said Steve Schmidt, AWS chief information security officer, in the Dec. 7 announcement. "By pursuing... the PCI DSS service provider validation, we're able to give customers continued assurance that the AWS cloud is a trustworthy and secure platform on which to build and deploy business-critical applications," the announcement said.

The PCI standard requires secure network connections, encryption of transmitted data, secure data storage, firewalls between servers, antivirus protection, and malware detection, among other things. The PCI Council, which maintains the standard, recently revised it to explicitly allow the operation of virtual machines that have been secured. The Jan. 1 change simplifies the hurdles that need to be met to achieve PCI compliance in a cloud setting.

The standard won't be revised again until 2013, but inclusion of virtual machine operation in the standard will make it easier for the PCI auditing and certifying agencies to approve transaction processing in a secure cloud architecture.

As PCI 2.0 was announced in November, the PCI Council's virtualization working group specified a cloud architecture that it said would meet all the requirements of the 2.0 standard, even though the standard makes no specific reference to a cloud environment.

Chris Richter, VP of security products and services at Savvis, a managed service and cloud service provider, is a member of the working group. He said in an interview that the architecture requires firewalls, encryption, and security measures. It's described in a whitepaper titled, "PCI-Compliant Cloud Reference Architecture." The PCI Standards Council has not endorsed or commented on the white paper.

The working group intended it as an early roadmap to what, until now, has been something of a no-man's land: cloud computing as a shared facility where secure transactions may take place.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll