AWS

PCI DSS Compliance Checklist on AWS

Getting PCI DSS compliance not only implies filling a bunch of documents or installing simple firewalls. What is AWS PCI Compliance, then? Luckily for you, you have come here to find The PCI DSS Compliance Checklist on the AWS Cloud

This PCI DSS Compliance Checklist is based on the 12 core requirements of the PCI DSS and corresponds with the latest version, 3.2.1 of the PCI DSS Standard. For instance, the PCI DSS —Payment Card Industry Data Security Standard— has been developed to set data protection for those companies that store, process or transmit card data, and the PCI DSS requirements are the right way to achieve them.

If you are on this PCI DSSCompliance Checklist I assume you’re looking to get your PCI compliant App on AWS. And I am glad that you are! Since this PCI DSS Compliance Checklist is able to help any app to become AWS PCI Compliance through different PCI compliance levels.

First of all, I’ll recommend going through this resource which provides a complete introduction to PCI Compliance on AWS. This resource presents the PCI compliance meaning plus a standardized architecture on the AWS Cloud.

Table of content

Why is the PCI Compliance Checklist important?

Everyone expects a secure process when doing a credit card transaction. Nobody wants their data to be stolen. PCI DSS compliance standards focus on maintaining payment security for businesses that store, process or transmit cardholder data. Through PCI DSS, technical and operational requirements of accepting or processing payment transactions are all covered.

I am completely sure that this PCI DSS compliance checklist will be really helpful for you. I hope you can enjoy it as much as I did!

AWS PCI DSS Checklist: Security Goals & Requirements

We are sure this resource will be beneficial for you in your quest to build more robust apps in AWS and offer the reliability that all your customers are expecting by achieving the six goals stated by PCI, you will get bulletproof systems prepared for the significant demand of the market. 

Each of the next security goals is subdivided into requirements that make a complete set of 12 security controls that you need to integrate with AWS so that your apps become compliant with this PCI DSS Compliance Checklist. There are a total of 6 security goals and 12 requirements on this AWS PCI Compliance Checklist that every company should follow in order to get fully compliant on the AWS Cloud.

This PCI DSS Compliance Checklist is based on 6 specific security goals:

1. Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect the Cardholder Data

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across public networks.

3. Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs.
Requirement 6: Develop and maintain secure systems and applications.

4. Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

6. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

PCI DSS Compliance Checklist

In this PCI DSS Compliance Checklist, you will find two types of needed items for each PCI requirement; these two categories are the Tech and Docs side. 

Tech side: This category refers to those technologies, tools, network controls, etc., that you should integrate on your AWS infrastructure to add security and high protection to your information assets.

Doc side: This category addresses the documented processes and configurations that PCI DSS requires you to support your security offer and make visible to all your stakeholders why your application is secure and reliable.

1. Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data.

Tech Side:

  • Configure the AWS Web Application Firewall (WAF) to protect the applications layer.

  • Create Access Control Lists for restricting access to infrastructure.

  • Create AWS Security Groups to restrict user access for application services.

  • Enable access for applications and infrastructure only for those countries from where you need to be available in the world.

  • Store the code for applications on private repositories on AWS CodeCommit or any other code repository service like Github or Bitbucket.

  • Secure endpoints via two-factor authentication, user agent, or geo-location.

Doc Side:

  • Create a Network Security Policy document which addresses:

  • The process to approve and test all new network connections.
  • The process to approve and test changes to the firewall and router configurations.
  • A network diagram that documents all connections between the cardholder data environment and other networks (including any wireless networks).
  • The process for updating the network diagram as required.
  • A diagram that shows all cardholder data flows across systems and networks.
  • The process for updating the data flow diagram as required.
  • The list of vulnerable services, protocols, and ports; and the security controls applied on them.
  • The plan is to perform reviews and maintenance on firewalls and networking rules periodically.
  • The accepted standard for firewall configurations:
  • Controls and rules for inbound and outbound traffic.
  • Process and rules for adding new connections for external networks.
  • Owner(s) of each process.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Tech Side:

  • Configure AWS Multi-factor authentication. Ascertained it is configured for all IAM roles to access applications and infrastructure elements are enabled for all users.

Doc Side:

  • Create a Password Acceptance Policy document which addresses:

  • The process for changing the default password on services and tools.
  • The accepted standard for setting up passwords (uppercase, lowercase, symbols and numbers).
  • The process for rotating and updating passwords on a continuous basis.
  • The monitoring process to ensure that all passwords comply with defined standards.
  • The correction process for passwords that do not comply with defined standards.
  • Owner(s) of each process.
  • Create a Configuration Standard Policy document which addresses:

  • The list of system functions and the level of access they have for different services, protocols, daemons, etc.
  • The list of controls to prevent functions that require different security levels from coexisting on the same server.
  • The list of used virtualization technologies, and its corresponding function.
  • The list of server-side encrypted controls, such as SSH, VPN, SSL, etc.
  • The list of all hardware and software components inside the system, and its purpose (name, size, etc.)
  • The list of additional/extra security controls implemented on services, protocols, or daemons as required by system/application. For example, the use of secure technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services like NetBIOS, file-sharing, Telnet, FTP, etc.
  • The process for removing unnecessary services or components, to prevent misuse or vulnerabilities.
  • The process for updating the inventory of components.
  • The process for creating, maintaining, and deleting hardware and software components (what size it should have, what security and general specs it should have, how it should be deleted if required, etc.).
  • The process for securing access to wireless connections into the network.
  • Owner(s) of each process.

2. Protect the Cardholder Data

Requirement 3: Protect stored cardholder data.

Tech side:

  • Isolate your database service (either Relational Database Service (RDS), DynamoDB, Aurora Serverless, etc.) from the internet.

  • Grant access to database services only to those IAM roles who really require it to complete their functions.

  • Replicate all the data stored in databases across multiple zones in the cloud so that it is not lost in case of disaster.

  • Create periodic backups for either code and data stored on databases.

  • Store the backups on AWS S3 and create a backup rotation approach.

  • Enable scalability and failover for your database servers in order to stay highly available to attend user demand.

Docs side:

  • Create a Data Retention and Protection Policy document which addresses:

  • The process for retaining – deleting for cardholder data (how much time the data will be stored, why it will be stored).
  • The process for monitoring the cardholder data and deleting the data is no longer used.
  • The process for managing authentication data creation – retention – deletion (accesses for apps, fingerprint access).
  • The process for tracking information such as chips, magnetic bands of cardholders, PINs, PAN numbers, and card verification codes, as well as the process for creating, changing, and deleting this kind of data.
  • The list of security controls implemented on sensitive cardholder data and accesses.
  • Owner(s) of each process.

Requirement 4: Encrypt transmission of cardholder data across public networks.

Tech side:

  • All the data stored in databases is properly encrypted.

  • All the communication between services in the cloud is encrypted.

Docs side:

  • Create a Cryptographic Policy document which addresses:
  • The list of encryption controls implemented on sensitive data.
  • The process for implementing certificates to encrypt communication for cardholder data.
  • The accepted best practices and standards applied to encryption controls.
  • The process and requirements to access sensitive encrypted data.
  • The process to monitor, identify, and eliminate vulnerabilities in encrypted data.
  • Owner(s) of each process.

Hey! If you are looking to continue reading the 12 requirements of PCI, don’t forget to download the Complete Version of this PCI DSS Compliance checklist!

The Ultimate Checklist for PCI DSS Compliance on the AWS Cloud

Download Here

Implement PCI DSS Compliant Checklist

The best way to fully become PCI DSS Compliant on the AWS Cloud is through the assistance of AWS and DevOps experts. We can help you implement the 12 requirements of PCI step-by-step.

Our DevOps experts have helped customers from a wide variety of industries to implement PCI DSS Compliant Checklist through the implementation of PCI requirements. We are here to guide you through the journey to becoming PCI DSS Compliant!

FAQs

How many compliance requirements does PCI DSS have?

The PCI DSS Compliance is based on the 12 core requirements, corresponding with the latest version 3.2.1 of the PCI DSS Standard. 
They include general practices, such as the cardholder information restriction and the need to create safe passwords. In-depth courses are also established, such as encryption and the use of a firewall.

How do you comply with PCI DSS?

These six steps are based on specific security goals to comply with PCI DSS.

1. Build and Maintain a Secure Network and Systems
2. Protect the Cardholder’s Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

What data falls under the PCI DSS compliance checklist?

It protects stored cardholder data, isolating your database service (either Relational Database Service (RDS), DynamoDB, Aurora Serverless, etc.) from the internet. 

Also, it creates a Data Retention and Protection Policy document that you will need to encrypt cardholder data transmission across public networks.

Published by
Ana Karen
Tags: pci compliancepci compliance checklistpci compliance on awspci dss compliance checklist

Related Post

Recent Posts

What Is Constitutional AI and Why Does It Matter in 2025

AI systems are changing by the hour. And one of the top priorities, besides clarity…

4 days ago

Agentic AI in Healthcare: Use Cases and Best Practices

Agentic AI refers to AI designed with human-like autonomy to carry out specific tasks without…

2 weeks ago

How to Create an AI Application: Steps, Challenges and Solutions

Have you ever questioned how self-driving cars navigate without human input, how chatbots can carry…

3 weeks ago

Advanced Prompt Engineering Strategies

Advanced prompt engineering strategies are important when extracting maximum value from Large Language Models (LLMs).…

4 weeks ago

Python vs Node.js for AI Development | Video

Today, I will discuss which one is better, Python vs Node.js for AI development, so…

4 weeks ago

How to Integrate AI into a React Application

At this point, if AI isn’t part of your application, you’re falling behind in a…

1 month ago