Amazon Confirms EC2/S3 Not PCI Level 1 Compliant 157
Jason writes "After months of digging though speculation and polar opposite opinions from PCI experts, I finally sent a direct request to Amazon's AWS sales team asking if they are in fact PCI compliant and will provide documentation attesting that they are as is required by PCI guidlines. I fully expecting them to dodge the question and refer me to a QSA, but to my relief, they replied with a refreshingly honest and absolute confirmation that it is currently impossible to meet PCI level 1 compliance using AWS services for card data storage. They also very strong suggest that cardnumbers never be stored on EC2 or S3 as those services are inherently noncompliant. For now at least, the official verdict is if you need to process credit cards, the Amazon cloud platform is off the table."
Amazon payments (Score:5, Insightful)
That is ok, you can just use amazon payments, and probably pay less commissions than you would on your own and not have to worry about storing cc data
Re:Who would have tought? (Score:5, Insightful)
For those lacking humor components in their brains, the parent (and a few other people) along with myself would like to say.
FOR FUCK SAKE GIVE US SOME MEANINGFUL POINT OF REFERENCE FOR THESE ACRONYM FILLED NON-STORIES.
Re:Consideration (Score:4, Insightful)
Re:Who would have tought? (Score:5, Insightful)
Re:Who is PCI compliant? (Score:4, Insightful)
I'd guess that less than 1% of e-commerce retailers are processing cards themselves.
Am I the only one? (Score:4, Insightful)
Am I the only one thinking "A generic and uncontrolled system that is completely virtual and could be run anywhere isn't sufficiently secure for storing or processing credit card details? No shit!"?
Seriously, I can see the benefit of cloud (which is effectively a glorified grid) for research and the like, but for information that needs to be secured like corporate secrets, proprietary information and credit cards? How can people consider "thing that is inherently changing and not controlled by you" to be a good answer?
Re:Good thing... (Score:5, Insightful)
Re:Sure, and a PCI audit costs nothing, right? (Score:4, Insightful)
We looked into this at one point: got details on the audit, etc. Technically, it seemed to be a pretty trivial check of your systems. As I recall, you also had to agree to pay for a annual remote check - basically a port scan - which also cost a pretty penny.
Basically, it's a way of raking in money. Of course, the people who go through with the audit wind up passing the costs on to consumers. This is in addition to the transaction costs of 3-4%, the transaction processing costs, the fees paid by the consumers, etc, etc.
Can we please find a secure way of using direct debit, so we can cut the credit-card companies out of the loop?
Re:Who is PCI compliant? (Score:4, Insightful)
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Err.. quite tricky when your machine is a virtual host that you're accessing over the Internet. Whatever firewall you set up, _you_ need to have a way around it. Very few people bother with VPNs or the like; most virtual hosting packages I've seen have FTP and other services open to all. This seriously compromises its security.
If your hosting package doesn't allow you decent control over the firewall, it has no place in an ecommerce platform.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Most web development companies I've worked with always want to transfer data around over unencrypted FTP, often including database backup files. The chances are, if you have a subcontractor handling your e-commerce web site, they're violating this requirement on a regular basis.
Use a different web development company. I'd be unlikely to want to deal with any developer who ever suggested FTP for the transfer of important data.
Requirement 5: Use and regularly update anti-virus software
Oh, yeah. Everyone has antivirus installed on their web servers. Wait... you mean they don't? What's this Linux thing?
If Linux and Windows boxes share the same network, you should run anti-virus software everywhere.
Requirement 6: Develop and maintain secure systems and applications
Ha!
Yup. Have coding standards, peer review of code, formal test and release cycles, segregation of duties between ops and dev staff, a viciously strict regression test cycle and systematic testing for SQL injection, cross-site scripting, etc. It's not rocket science.
Requirement 9: Restrict physical access to cardholder data
Somewhat difficult when you're not hosting the system yourself, so this requirement can only be met by less than 1% of e-commerce retailers out there.
Your contract with your hosting prvider should address these security issues - in fact, they should be able to confirm that they're PCI compliant themselves. If they can't demonstrate that physical access to data, including backup tapes, is properly controlled, you need another hosting company.
Requirement 11: Regularly test security systems and processes
When was the last time you performed a penetration test on your network?
We schedule frequent (but deliberately irregular so that our ops guys don't know what's coming) internal and external penetration tests. I'm appalled that anyone one should consider building an ecommerce platform with commissioning pen testing.
We're not required to be PCI compliant, but I know we'd pass a PCI audit with very little difficulty. The standards simply reflect good practice, and we aren't interested in being second rate.
Achronym soup. (Score:3, Insightful)
What are
PCI
AWS
QSA
EC2
S3
Why editors don't ask for this to be clarified or reject outright something making so many assumptions about the field of expertise of the reader?
Re:Good thing... (Score:5, Insightful)
I realized (or at least hoped) it was a continuation of the original joke, that's why I didn't say something like "y0u 1d107"' I posted the wikis only so that for anyone who actually did want to know what all this gibberish was about, didn't get lost in some wikimess of the comparison of graphical accelerators and the pros and cons of various bus types.
Re:Consideration (Score:5, Insightful)
Here's a straighforward response: If you can't find any documentation on it anywhere and if, as you say, Amazon seems to avoid the question, then it is pretty much safe to assume that you should not store your credit card numbers in such system.
Being "PCI compliant" is hardly a skeleton in the closet, so I doubt any vendor would shy from offering such assurance if it were available.
-dZ.
Re:Consideration (Score:3, Insightful)
What. An honest one?
There are PCI Compliant service providers out there, in fact, Visa has a list of them[1]. I work for one.
[1]
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf [visa.com]
Where are the editors? (Score:3, Insightful)
Okay, offtopic trolling flamebait here, but...
Seriously, do SOME editing before posting any old journal entry or story submission. You know that "Preview" button? Use it.
Re:Sure, and a PCI audit costs nothing, right? (Score:4, Insightful)
Uh, no thanks. The couple percent the CC companies charge is small insurance to make sure that joes website is not able to go in and clear out my checking and/or savings accounts. Unless you are going to go with something like one time card numbers with set transaction limits which is too difficult for most people to grasp.