Questions? Contact Us

 

Latest News

Featured News & Events

Amazon confirms EC2/S3 does not meet PCI guidelines

If your business requires PCI compliant hosting services because you store, transmit or process cardholder data, hosting in the cloud may not be for you.  Most cloud providers do not have the controls or processes in place to protect sensitive cardholder data or the willingness to enter into required business arrangements with merchants.  Because of this, it is impossible to meet several requirements found in current PCI standards, leaving your business at risk for heavy fines by not being compliant.



One such example would be Amazon EC2.  In a recent discussion at amazonwebservices.com forum and slashdot.org users were discussing a desire to move to Amazon EC2 and maintain PCI compliance.  While not surprising, at least there was a concrete answer to were Amazon stands with regards to its role in its customer’s compliance.  In an email from Taimur Rashid, an account manager at Amazon Web Services, he states “We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.”

PCI requires all merchants maintain a written agreement between the merchant and service provider that outlines responsibility for cardholder data.  “Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Without this simple agreement, you cannot be compliant.

In addition to not allowing a written agreement, Amazon also will not allow on site audits required for Level 1 and now Level 2 merchants.  Cindy S from Amazon Web Services states “If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.”

Based on the 2 statements above, Amazon EC2/S3 is currently not capable of providing the level of service required for PCI compliance on any level.  If you are a merchant and require PCI compliance, avoid the cloud and find a reputable service provider which specializes in PCI compliance such as GSI, Rackspace or ZZ Servers.
InterWorx Hosting Control Panel Version 4.0 Availa...
Kerio MailServer and Mac OS X Snow Leopard

Related Posts

 

Tag Cloud

video IT compliance health care providers Cloud Computing Announcement IT Solutions lamp David Zendzian data protection Shmoocon recovering data data breach TiaraCon DRP Disaster Recovery Plan members area teensy trends spoofing security Las Vegas DEF CON support IT services physical IT Services HIPAA Solutions World Backup Day Internet TLS cyber liability insurance Interworx-CP credit card embedded cybersecurity Vulnerability Home Depot Breach HIPAA Debian cli Continuous Monitoring CentOs SSL phishing attacks computing in the cloud multi-factor authentication dsbl IT security hosting control panel HIPPA Alarm command line Web Hosting Information Technology data privacy business community iphone Control Panel Sysadmin cyber Geekend cloud Accountability Act HIDS follow.The HIPAA Privacy Rule computer security spf Health Care Cybersecurity anti virus physical security Business Planning motivation exchange ZZ Servers kerio employee training bash phishing cyber monday Positive Customer Impact small business cyber security Compliance Small Business information technology cell phone email smartphone two factor authentication mail server compliant hosting computer networks Medical Records sender policy Ubuntu Xen amazon ec2 Internet Corporation PCI Service Provider business solitions caller-id PCI Data Security Standards vyatta router firewall filter security PCI HIPAA Server Mangement National Cyber Security Awareness Month dss backup solutions spam Healthcare Records management Charleston PCI Audit business solutions assesment passwords Hackers shared folders shared server Reports openssl Car Hacking eCommerce Solutions log files pci complliant hosting education personal information Windows credit card payment intrusion detection VPS Servers businesses Credit Cards social engineering Credit Card Security cloud infrastructure PCI Compliance Health Insurance Portability security circles arduino IT solutions Assigned Names PCI Payment Card Industry ZZ Servers Co-Founder PCI compliance business HIPAA solutions QSA Online Business change cyber protection credit cards stolen Security Email InterWorx search ICANN safe computing cyber monitoring black friday Internet infrastructure Hosting Medical Solutions OSSEC permissions eCommerce shared hosting ipad vulnerability scanning Presentation email accounts Zendzian malicious software BSides Linux vps healthcare solutions Cybersecurity Firetalk Business Solutions qsa shared secure hosting INFOSEC GDPR Cybersecurity Business Solutions PCI Hosting logical security infrastructure Domani Names apache Scalable Redundant Cloud Infrastructure protect data PCI DSS 3.2 blackberry network activesync windows 7 password PCI Solutions