AWS adopts new credit card security requirements. Amazon Web Services (AWS) is the first major cloud adopter of the newest security standard for credit cards transactions. The credit card industry’s security standards group, which is composed of major financial institutions such as Visa, American Express, and MasterCard, regularly publishes a set security guidelines for all organizations and businesses that use credit card information. These guidelines, known as the Payment Card Industry Data Security Standard, (PCI DSS), aim to ensure that businesses use security measures to protect consumers’ personal data and reduce credit card fraud. Cloud providers have been required to comply with the PCI DSS in recent years due to increasing online shopping and the fact that more businesses are moving away from traditional on-premises computing. Each of the three top cloud providers, AWS (Google) and Microsoft (Microsoft), are certified to comply with PCI DSS standards. AWS, however, was the first to adopt version 3.2 of the PCI DSS. It was announced back in April. Chad Woolf (director of risk and compliance at AWS), said Monday that AWS was the first cloud service provider (CSP), to successfully complete an assessment against the newly released PCI Data Security Standard, (PCI DSS), version 3.2. The current version of the PCI DSS, version 3.2, expires October 31st. Or they could be out of compliance. Organizations have until February 1, 2018 to adopt the new version. Woolf stated that the rapid adoption of version 3.2 “demonstrates [AWS] commitment to information security being our highest priority.” Version 3.2 of the PCI DSS has many notable changes over its predecessor. According to Troy Leach (chief technology officer at the PCI Security Standards Council), service providers now have to enforce multifactor authentication “for all personnel with non-console administration access to the system handling card data.” It also mandates that businesses conduct penetration testing in segmented environments every six to twelve months instead of annually. Version 3.2 also requires providers to conduct quarterly reviews of their staff to assess compliance with security policies. Leach also outlines some other changes in this FAQ. AWS is a Level 1 service provider according to the PCI DSS. This means that it processes high volumes of credit card transactions, upwards of 300,000. AWS considers 26 of its cloud services compliant with version 3.2. These include Amazon Redshift and Amazon EC2. Amazon S3 is also included. You can find a complete list of compliant services here. AWS has also released a new “compliance package” to help customers understand the implications and benefits of becoming certified for version 3.0. Woolf said that the package contains materials that will help customers who are:

AWS will host a PCI Cardholder Data Environment.
Preparing for a PCI-DSS assessment
Assessing, documenting, certifying and certifying the deployments of Cardholder Data Environments on AWS.

My work at home.net Earn as you Learn