Physical Security Responsibilities for AWS
Complying with PCI Requirement 9 in AWS
PCI Requirement 9 is all about physical security and the requirements for restricting physical access to cardholder data. You might be wondering how this is requirement is applicable for an AWS environment. Physical security is one area where the AWS Shared Responsibility Model comes into play. AWS is responsible for protecting “security of the cloud” which includes the infrastructure of hardware, software, networking, and facilities that run AWS services. You can trust that AWS’ physical security controls are PCI compliant because AWS is certified as a PCI DSS Level 1 Service Provider.
Your responsibility, when it comes to PCI Requirement 9, is to obtain and review AWS’ Attestation of Compliance (AoC) at least annually. AWS’ PCI AoC and AWS PCI DSS Responsibility Summary are available to customers through AWS Artifact for on-demand access. To learn more about the compliance program at AWS, visit the documentation on AWS Services in Scope.
Transcription
When you’re working through Requirement 9 for your PCI Data Security Standard assessment, you might question what the relevance of physical security requirements are if you are running your applications within an AWS environment. AWS has taken responsibility for physical security controls for the applications and resources that you have set up within your AWS account. This is communicated in your PCI Report on Compliance because AWS is considered one of your third parties. They do, potentially, have access to your environment and you will notice in their attestation of compliance that they are accepting responsibility for those requirements that are relevant to their physical security controls. They are responsible for who has visitor access or vendor access. They are responsible for video cameras to monitor their environment and the alarms that go into protecting the environment from physical intruders. All of that shifts to AWS.
Your responsibility, going through your PCI audit, is to request their PCI AoC. They will provide that to you through their compliance portal so that you can have a copy of that and provide that to your auditor in order to fulfill your compliance requirements. You are responsible for overseeing their compliance with the PCI requirements. You’ll want to ensure that you have an agreement with them that states that they are responsible for those requirements. You will want to be responsible for monitoring their compliance and understanding if there have been any changes to their environment. You’ll do that, primarily, through reviewing their PCI Attestation of Compliance on, at least, an annual basis. If you have any questions about interacting with AWS or any other third party who has responsibility for some of the PCI DSS controls, please contact us today. We’d be happy to walk you through that.
Related Videos
PCI Requirement 9 – Restrict Physical Access to Cardholder Data.mp4
PCI Requirement 9.1 – Use Facility Entry Controls to Limit Physical Access to CDE
PCI Requirement 9.1.1 – Use Video Cameras or Access Control Mechanisms to Monitor Physical Access
PCI Requirement 9.1.2 – Implement Physical Controls to Restrict Access to Accessible Network Jacks
PCI Requirement 9.1.3 – Restrict Physical Access to Wireless Access Points
PCI Requirement 9.2 – Develop Procedures to Easily Distinguish Between Onsite Personnel and Visitors
PCI Requirement 9.3 – Control Physical Access for Onsite Personnel to Sensitive Areas
PCI Requirement 9.4 – Implement Procedures to Identify and Authorize Visitors
PCI Requirement 9.4.1 – Visitors are Authorized Before Entering, and Escorted at all Times
PCI Requirement 9.4.2 – Visitors are Identified and Given a Badge that Expires
PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge Before Leaving the Facility
PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity
PCI Requirement 9.5 – Physically Secure all Media
PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security
PCI Requirement 9.6 – Maintain Control Over the InternalExternal Distribution of Any Kind of Media
PCI Requirement 9.6.1 – Classify Media so the Sensitivity of the Data Can Be Determined
PCI Requirement 9.6.2 – Send the Media by Secured Courier
PCI Requirement 9.6.3 – Ensure Management Approves All Media Moved from a Secured Area
PCI Requirement 9.7 – Maintain Strict Control Over the Storage and Accessibility of Media
PCI Requirement 9.7.1 – Properly Maintain Inventory Logs of All Media
PCI Requirement 9.8 – Destroy Media When it is no Longer Needed
PCI Requirement 9.8.1 – Shred Hard-Copy Materials so CHD Cannot be Reconstructed
PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable
PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction
PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices
PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution
PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering of Devices
Physical Security Responsibilities for AWS Users
Physical Security Threats for AWS
SOC 2 Academy: Disposing of Physical Devices
SOC 2 Academy: Physical Security Controls
