4. Early 2017
Redesign our payment
channels
Adapt business
processes
Communicate to
partners and third
parties
Plan & Coordinate
Teams
Early 2017
Payment
Environment
6. What is PCI-DSS Compliance
• Standard for cardholder data
environments composed of security
best practices and controls.
• It’s all about maintaining a secure
environment
• If you are handling credit card data –
this applies to you too!
7. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management
Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
PCI Goals and Requirements
8. Early 2017Decision to be made
Build On The Cloud
Build in our DCs
Outsource to third party
9. Security in the Cloud is a Shared Responsibility
https://aws.amazon.com/compliance/shared-responsibility-model/
10. Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management
Program
Implement Strong Access Control
Measures
Regularly Monitor and Test Networks
Maintain an Information Security
Policy
PCI Requirements mapped to AWS Services
VPC Security Group Amazon EC2 Cloudformation
S3 EBS CloudHSM KMSRDS Security Group ELB VPN
WAF CloudFront
Cognito Directory ServiceIAM
S3Cloudtrail
Inspector
Config
Lambda
Lambda
Lambda
Lambda
11. AWS services in scope by PCI-DSS compliance
of all services
are PCI-
Compliant
> 55%
47,6%
Increase from
prev. year
26
In 2016
62
In 2018
42
In 2017
25. Summary
1. Bring the right people together early on
2. Have a strategy
3. Break down large projects into small iterations
4. Know and leverage the ecosystem
5. Take care of your team