solution brief

PCI COMPLIANCE ON AWS:

HOW TREND MICRO CAN HELP
The benefits of cloud computing are clear and compelling: no upfront investment, low
ongoing costs, flexible capacity and fast application deployment. However, merchants
”
and service providers that process credit card payments must comply with the Payment Perhaps the largest
Card Industry Data Security Standard (PCI DSS), regardless of whether the transaction
occurs in a store or in the cloud. Ultimately, these organizations are responsible for the
point of confusion
security of their customer’s cardholder data. with regards to the
PCI DSS and cloud
AWS AND PCI DSS COMPLIANCE computing is the
To ensure an end-to-end secure computing environment, Amazon Web Services (AWS)
employs a shared security responsibility model with its customers. While AWS provides
question of upon
secure facilities and processes, it is up to its customers to protect their operating systems, whose shoulders

”
applications and data running on AWS. It is important to understand the division of shared
responsibilities between AWS and the client, and the security solutions organizations need does compliance fall?
to meet PCI DSS requirements.
Andrew Hay, Wired Magazine
If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will
apply to that environment, and will typically involve validation of both the AWS infrastructure
and the client’s usage of that environment. Ultimately however, the responsibility to ensure
cardholder data is secure rests with the client.
Although AWS satisfies all of the requirements under PCI DSS for shared hosting providers
and has been successfully validated against standards applicable to a Level 1 service provider
under PCI DSS Version 2.0. it’s important to note that AWS customers are responsible for
their own PCI DSS compliance. And while some DSS requirements may be satisfied by the
customer’s use of AWS (for instance Requirement 9: Restrict physical access to cardholder
data), most requirements are either shared responsibilities between the AWS customer and
AWS, or entirely the customer’s responsibility. Table 1 summarizes the party responsible for
ensuring compliance with each of the PCI DSSrequirements.

Page 1 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
 DIVISION OF PCI DSS RESPONSIBILITIES

PCI DSS REQUIREMENT RESPONSIBILITY

1. Install and maintain firewall configuration to protect cardholder data Both
2. Do not use vendor-supplied defaults for system passwords and other security parameters Both
3. Protect stored cardholder data Both
4. Encrypt transmission of cardholder data across open, public networks Client
5. Use and regularly update antivirus software or programs Client
6. Develop and maintain secure systems and applications Both
7. Restrict access to cardholder data by business need to know Both
8. Assign a unique ID to each person with computer access Both
9. Restrict physical access to cardholder data AWS
10. Track and monitor all access to network resources and cardholder data Both
11. Regularly test security systems and processes Both
12. Maintain a policy that addresses information security for personnel Both

Both = Client & AWS

Source: “Information supplement: PCI DSS Cloud Computing Guidelines”
www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

As you can see in the table above, many of the items require both parties to implement security controls.
Outsourcing daily management of a subset of PCI DSS requirements to AWS does not remove the client’s
responsibility to ensure cardholder data is properly secured and that PCI DSS controls are met. The client
therefore must work with AWS to provide evidence only, whereas compliance verifies PCI DSS controls are
maintained on an ongoing basis—an Attestation of Compliance (AOC) reflects a single point in time only;
compliance requires ongoing monitoring and validation that controls are in place and working effectively.
Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically
transfer to the client environments within that cloud service. For example, AWS will have validation there is
up-to-date antivirus software on AWS systems; however, this validation might not extend to the individual client
OS or VMs (such as in an IaaS service on an instance). Additionally, clients must maintain compliance for all of
their own operations—for example, ensuring antivirus is installed and updated on all client-side systems used
to connect into the cloud environment.

Page 2 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
 TREND MICRO CLOUD and DATA CENTER SECURITY SOLUTION
With its broad cloud and data center solution, Trend Micro complements the security provided by AWS and help
achieve PCI DSS compliance.

Trend Micro Deep Security is a comprehensive server security platform that protects AWS instances from data
breaches and business disruptions while enabling compliance. This solution simplifies security operations while
accelerating the ROI of virtualization and cloud projects. Tightly integrated modules easily expand the platform
to ensure server, application, and data security across physical, virtual, and cloud servers, as well as virtual desktops.
With Deep Security, customers can employ any combination of agent-based protection, including anti-malware,
web reputation, firewall, intrusion prevention, integrity monitoring, and log inspection. Agentless protection is
also available for on premise applications running VMware. The result is an adaptive and efficient server security
platform that protects mission-critical enterprise applications and data from breaches and business disruptions
without expensive emergency patching.

Deep Security Key Benefits

•• Single solution with broadest set of recommended security capabilities for
AWS instances
•• Reduces set up time with flexible deployment options (software or SaaS)
•• Supports leading cloud deployment tools (Chef, Puppet, OpsWorks)
•• Automatically recognizes and secures new instances and sets security policy
without admin intervention
•• Eases management with an integrated console including customizable policy
rules and templates

Trend Micro SSL provides unlimited SSL certificates, including Extended

Validation (EV) certificates, and a management console so you can protect
every web page cost-effectively. Trend Micro is a globally trusted Certificate
Authority (CA) so you can be sure your websites—and your customers
are protected.

The Deep Security platform is powerful

and optimized for all physical, virtual,
and cloud environments.

Page 3 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
 PCI DSS REQUIREMENT
Requirement 1:
Install and maintain a
firewall configuration to
protect cardholder data.
Requirement 2:
Do not use vendor-
supplied defaults for
system passwords
and other security
parameters.
Page 4 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
AWS RESPONSIBILITY
All In-Scope Services:
AWS maintains instance
isolation for host operating
systems and the AWS
Management Environment
including host operating
system, hypervisor, firewall
configuration and baseline
firewall rules.
All In-Scope Services:
AWS develops and
maintains configuration
and hardening standards
for the AWS Management
Environment that provides
the virtualization tech-
nologies and applications
for providing the cloud
services.
AWS maintains configuration
and hardening standards
for the underlying operating ••
systems and platforms for
these services.
customer RESPONSIBILITY
•• Testing and approving network
connectivity and configuration for
storing cardholder data in AWS services.
AWS maintains the firewalls and
network management for these services.
•• Developing appropriate firewall
rules or using additional firewall
technologies to develop appropriate
DMZ and internal networks.
•• Reviewing the connectivity models
and exposureof their instances to
these data stores, for ensuring that
appropriate zones are created, and for
determining that access to the data
stores that have cardholder data are
not directly exposed to the Internet.
•• Implementing perimeter firewalls and
configuring security groups and ACLs
through the AWS API and other user
interfaces for their in-scope services.
•• Documenting, developing and
implementing configuration standards configurable security profiles that can
for the instances of EC2 and VPC that be defined and customized for each type
are within the CDE.
•• Documenting the functional and
security configuration standards of
AWS services used within the CDE to
ensure that the secure state designed can include a variety of proactive rules
for the service can be maintained.
•• Maintaining configurations and
updating them as new vulnerabilities
and configuration changes are identified. integrity monitoring of application and
Remaining up-to-date on AWS
service information and changes to
configurable items with new releases
and updating their configuration
settings accordingly.
•• Applying the appropriate configuration process and ensuring that changes made
to all EC2 and VPC server instances
as well as the configuration of other
AWS services that are used for
storing, transmitting or processing
cardholder data.
•• Ensuring that only one primary function configurations can be made to further
is implemented per server instance.
•• Ensuring secure communication
for administrative access to the
server instances such as Windows
Remote Desktop (RDP) using “High
Encryption” or “FIPS compatible”
encryption settings or SSH v2 or
above and appropriate SSH keys.
•• Ensuring that access to APIs are only
allowed over Direct Connect or SSL
connections to protect the confidentiality of server instance/application. The
and integrity of the transmission of
configuration information.
•• Configuring the services to limit
access to data stores and servers as
outlined throughout the document.
how trend micro can help
AWS Security Groups provide a simple
yet powerful mechanism for meeting
the principal segmentation objectives
of Section 1 between various server
instances and to the Internet.
Trend Micro Deep Security has
advanced firewall capabilities that can
complement and extend the built-in
AWS Security Group capabilities when
finer granularity or control of the
segmented traffic is desired or required,
such as with full bidirectional stateful
inspection or application layer rules.
Trend Micro Deep Security has
of server role, to ensure that each server
instance meets the one function-per-server
requirement and that only the necessary
services are accessible. Security profiles
to lock down each server’s role ranging
from firewall rules to block access to
service ports, to configuration and
service configuration files and registry,
to auditing of service and administrative
log events for unauthorized changes.
Security policies enable consistent
configurations to be applied to common
groups of servers, simplifying the audit
to the group policy are automatically
inherited and applied to all instances/
servers assigned that policy. Deep
Security does also support local overrides
so that additional policy assignments and
secure particular servers and account
for different configuration requirements.
Deep Security’s Recommendation Scan
feature profiles each server instance being
protected and ensures that each server
instance is running the necessary
security policy rules (Intrusion Prevention,
Integrity Monitoring, and Log Inspection)
are applied throughout the lifecycle
Recommendation Scan feature can be
considered the equivalent of ‘auto-tuning’
the security policies of the server
instance to ensure optimum protection.
 PCI DSS REQUIREMENT
Requirement 3:
Protected stored
cardholder data.
Requirement 4:
Encrypt transmission of
cardholder data across
open, public networks.
Requirement 5:
Use and regularly
update antivirus
software or programs.
Requirement 6:
Develop and maintain
secure systems and
applications.
Page 5 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
AWS RESPONSIBILITY customer RESPONSIBILITY how trend micro can help
All In-Scope Services: Maintaining appropriate data retention
AWS does not manage card- policies and procedures, encryption
holder data or encryption technologies and key management
technologies and keys for processes for maintaining PCI Data
the customers’ specific Security Standard requirements.
cardholder environment.
All In-Scope Services: •• Configuring web servers or the Trend Micro SSL includes unlimited SSL
AWS encrypts access and ELB load balancers with appropriate certificates to protect cardholder data
manages encryption within certificates to protect cardholder data during transfer by creating a uniquely
the AWS Management transmission over public networks. encrypted channel for communication.
Environment. •• Cryptography and security protocols There is also a management console
for connections to any storage system and certificate health checks to reduce
that is transmitting cardholder data. configuration issues and expiry risk.
•• Ensuring the data is encrypted in The transmission of data can additionally
transit as well as in storage. be protected with Deep Security’s firewall
•• The policies and use of any end-user which can be configured to block HTTP
messaging technologies for traffic (port 80) ensuring that all traffic
transmitting PAN. occurs over HTTPS ports (443).
All In-Scope Services: Managing antivirus to PCI requirements, Trend Micro Deep Security includes an
AWS manages antivirus as applicable to Requirement 5, for any anti-malware module to protect server
software for the AWS EC2 and VPC instances. instances. This protection is powered by
Management Environment Trend Micro’s Smart Protection Network
and, where appropriate, for which analyzes over 6TB of data daily to
the identified services. identify and correlate new threats. This
insight is immediately shared through
the proven cloud infrastructure.
All In-Scope Services: Managing the security patches of their Trend Micro Deep Security provides
AWS maintains security EC2 and VPC server instances. virtual patching to protect unpatched
patching, development vulnerabilities, and can serve as an
Reviewing all AWS Security Bulletins
and change control of the effective compensating control and risk
http://aws.amazon.com/security/
applications that support management strategy for the patching
security-bulletins and ensuring that any
the services included in requirements of Section 6.1 until the
recommendations that are applicable to
the assessment including appropriate patches can be applied.
the customer’s environment are
web interfaces, APIs, access
reviewed and implemented as necessary.
controls, provisioning and
deployment mechanisms. Maintaining software development
standards, change control, and
AWS develops and manages
vulnerability management programs
changes to the applications
to align with PCI requirements for
that support the services
applications developed and deployed
included in the assessment
into EC2 or VPC.
including web interfaces,
APIs, access controls, Any custom configurations that may
provisioning and deployment be created using development criteria
mechanisms. that are allowed by the APIs for EBS, S3,
RDS, DynamoDB, SimpleDB, ELB, IAM,
EMR, Direct Connect and Glacier. This
development should utilize the same
processes as other applications that
are developed by the customer and be
compliant with the PCI requirements for
development standards.
Changes to configurations for EBS, S3,
RDS, DynamoDB, SimpleDB, ELB, IAM,
EMR, Direct Connect and Glacier services.
AWS customers should have processes
developed for managing and controlling
changes to these configurations. Change
control procedures related to the EC2
and VPC server instances and EC2 and
VPC configuration through APIs and
other user interfaces.
 PCI DSS REQUIREMENT
Requirement 7:
Restrict access to
cardholder data by
business need-to-know.
AWS RESPONSIBILITY
All In-Scope Services:
AWS maintains the access
controls related to underlying
infrastructure systems
and the AWS Management
Environment.
customer RESPONSIBILITY
Managing access to all AWS services that
are included in their CDE. AWS provides
various mechanisms for controlling
access to the services including IAM for
integration with corporate directories
and granular access controls to the AWS
Management Console.
how trend micro can help
Deep Security maintains a full audit
trail of all system and Administrative
operations/events which can be
forwarded to a centralized SIEM or
Syslog server for further correlation
and archival.

Requirement 8:
Assign a unique ID
to each person with
computer access.
Requirement 9:
Restrict physical access
to cardholder data.
Requirement 10:
Track and monitor all
access to network
resources and
cardholder data.
All In-Scope Services:
AWS provides each user
in the AWS Management
Environment a unique ID.
AWS provides additional
security options that
•• Control over the authentication
enable AWS customers to
further protect their AWS
Account and control access:
AWS Identity and Access
Management (AWS IAM),
Multi-Factor Authentication
(MFA) and Key Rotation.
All In-Scope Services:
AWS maintains the physical
security and media handling
controls for the services
included in the assessment.
All In-Scope Services:
AWS maintains the physical
security and media handling
controls for the services
included in the assessment.
•• Controlling the creation of user Deep Security supports role-based access
accounts. This includes access controls control ensuring that administrative
to all AWS Services included in scope privileges can be restricted on a per
as well as to the server instances and administrator basis.
applications that customers may be
hosting in EC2 and VPC This is further supplemented by Deep
Security’s multi-tenant capability where
different departments, business units
mechanisms to the management
can be created as separate tenants
consoles and APIs for managing
their EC2 and VPC accounts. AWS ensuring complete isolation from a
provides an opt-in Multi-Factor security management perspective.
Authentication (MFA) solution to
support AWS customers’ in meeting
the requirement for two-factor
authentication
•• The processes and creation of
accounts and access controls
using the various authentication
mechanisms offered by AWS and
IAM. This includes access controls
to all AWS Services included in scope
as well as to the server instances and
applications that customers may be
hosting in EC2 and VPC.
Backup and destruction of media
outside of the AWS environment.
•• Logging and monitoring their systems Trend Micro Deep Security has modules
and EC2 and VPC server instances in for monitoring operating system events,
alignment with PCI requirements. application events and the integrity of
•• Obtaining and monitoring access key files—these can be used to monitor
to cardholder data. AWS provides the target system for security related
customer accessible transaction logs. incidents, and forward on to a SIEM or
Syslog server for correlation in real time.
•• Appropriately managing time service
(NTP) configuration for customer
EC2 and VPC server instances and
applications.

Page 6 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
 PCI DSS REQUIREMENT
Requirement 11:
Regularly test security
systems and processes.
Requirement 12:
Maintain a policy that
addresses information
security for all personnel.
Page 7 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
AWS RESPONSIBILITY
All In-Scope Services:
AWS conducts wireless rogue
access point detection,
vulnerability and penetration
testing, intrusion detection
and file integrity monitoring
for the AWS Management
Environment and the
identified services.
All In-Scope Services:
AWS maintains security
policies and procedures,
security awareness training,
security incident response
plan, and human resource
processes that align with
PCI requirements.
customer RESPONSIBILITY
All scanning, penetration testing, file
integrity monitoring and intrusion
detection for their EC2 and VPC
server instances and applications.
Maintaining appropriate policies and
processes applicable to their cardholder
data environment and align with the
PCI Requirement 12 to maintain their
compliance with the PCI Data Security
Standards.
how trend micro can help
Trend Micro Deep Security provides
file integrity monitoring of critical OS,
application and configuration files and
registry to meet Sections 11.4 and 11.5.
Both AWS-supplied AMIs as well as
custom AMIs can be conveniently used
as reference baselines for integrity scans.
In addition, Deep Security’s Recommen-
dation Scan feature profiles each server
instance being protected and ensures
that each server instance is running the
necessary security policy rules (Intrusion
Prevention, Integrity Monitoring, and Log
Inspection) are applied throughout the
lifecycle of server instance/application.
The Recommendation Scan feature
can be considered the equivalent of
‘auto-tuning’ the security policies of
the server instance to ensure optimum
protection.
Trend Micro Deep Security provides
alerts that are integral to a security
incident response plan. And because
it can prevent attacks as well, Deep
Security reduces the number of
incidents requiring a response. Deep
Security’s integration with leading
SIEM vendors enables a consolidated
view of security incidents.
 ABOUT TREND MICRO
As a global leader in cloud security, Trend Micro develops security solutions that make the world safe for
businesses and consumers to exchange digital information. With more than 25 years of experience, Trend
Micro delivers top-ranked security that fits customers’ needs, stops new threats faster, and protects data in
physical, virtualized, and cloud environments.

For more information, watch a webinar on PCI cloud compliance at www.trendmicro.com/cloudpci

Visit Trend Micro Alliance Partner page at www.trendmicro.com/us/business/strategic-alliances
for more information on the AWS-Trend Micro alliance.

Securing Your Journey to the Cloud

©2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the
Trend Micro t-ball logo, Smart Protection Network, and Deep Security are
trademarks or registered trademarks of Trend Micro Incorporated. All
other company and/or product names may be trademarks or registered
trademarks of their owners. Information contained in this document is
subject to change without notice. [SB01_AWS_PCI_Compliance_150806US]

Page 8 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP