Comment Amazon EC2 is PCI compliant ! (Score 1) 157
How can it be bad news that you can use Amazon for level 2 compliance? This
is really good news !
Level 1 compliance is required by Visa for companies doing more than 6 million
transactions per year. That is a tiny minute number of businesses - which means
virtually NO ONE needs to bother with Level 1 compliance. The annual assessment
fees to maintain Level 1 classification are $15,000+ per year, depending on who
assesses you, of course and depending on your systems. Who can afford that in
the first place?
If you look closely at the PCI regulations, you will find that they are wide
open, and can often be interpreted in many ways. This means they are patently
unclear, and so are many of the comments and interpretations by assessors as
well as by people looking at PCI rules, who have never read the regulations.
The only reason why Amazon can - based on their own statement - not be PCI 1
compliant, is because they will not give assessors onsite access for a
validation. This is required for level 1 compliance. All other rules can be met
by the Amazon system. This is not just based on Amazon's own statement, but
based on going through the questionnaire and actually assessing EC2 against each
of the requirements AS THEY ARE WRITTEN DOWN and not as they are being
interpreted by whoever feels like it.
I had PCI 'experts' tell me that any computer in my office which connects to a
PCI compliant server from within my office has to be in a locked up steel cage.
And some other comments here do not seem to be much better. For example Linux
servers are specifically excluded from requiring Anti-virus programs within the
specifications.
Amazon doesn't like you storing your credit cards on their system - well no, of
course not. Because if you set up your system badly and someone does break in,
you'll probably try to blame Amazon rather than your own server setup. This has
nothing to do with cloud server. In fact I have no idea why everyone keeps
bringing the cloud into these specifications. Cloud is not mentioned in the PCI
specs, nor are many other so called required hardware set ups for compliance.
There is also no requirement to use hardware servers - does this mean you are
not allowed to use hardware servers? Cloud servers are neither excluded nor
included in the specs.
To be PCI compliant you simply have to meet all the requirements in the
questionnaire applying to you as they are listed in the paperwork. EC2 servers
and the EC2 datacenters meet all the hardware requirements. On the security side
and providing you with the ability to lock everything down as required by the
various questionnaires, EC2 meets all the requirements. How you lock things down
and how you set up your security groups and how you follow procedures and how
you encrypt credit card details has nothing to do with Amazon. But it is
possible on EC2 to comply.
Just as an example look at question 1.1 of self assessment questionnaire D. 'Do
established firewall and router configuration files standards include the
following â¦' It does not say 'Do you have your own firewall and do you have full
access to the firewall configuration and have you personally set up your very
own firewall rules and standards which include the following
Yet that is how many experts like to read the regulations. When you talk to some
PCI experts, they will claim that you must have your own hardware firewall to be
PCI compliant and that you must set it up yourself. No, you don't. In fact the
PCI regulations do not even ask for a hardware firewall. So you can run a
software firewall on all your servers, if you like.
I for one am thrilled about Amazon confirming that EC2 is PCI compliant. And so
long as you do not require an onsite assessment, you could be too. Whether you want
to use EC2 or not is an entirely different story. But that has nothing to do
with PCI compliance.
Steffan Klein
santu.com
