Physical Security Responsibilities for AWS Users
Evaluating Your CHD Scope in AWS
While it’s true that AWS is responsible for the physical security of the cloud (like includes the infrastructure of hardware, software, networking, and facilities that run AWS services), as an AWS customer, you must evaluate the physical nature of your PCI scope. Are your employees accessing your AWS environment from an office location, from their home Internet through a VPN, or from a public place (a hotel, an airport, a coffee shop) over public Internet? What IT services or third parties are connected to your AWS environment? You must evaluate your processes for accessing data in the cloud, because it may reveal new in-scope systems. Physical security responsibilities aren’t black-and-white – they often bleed between AWS and the customer.
Your responsibility, when it comes to PCI Requirement 9, is to obtain and review AWS’ PCI Attestation of Compliance (AoC) at least annually. AWS’ PCI AoC and AWS PCI DSS Responsibility Summary are available to customers through AWS Artifact. Reviewing this PCI AoC, then performing your own scoping assessment will ensure that you have an appropriate scope for your CHD environment in AWS.
Transcription
As you work through Requirement 9 in the PCI Data Security Standard, you may think that because AWS is responsible for the physical security requirements of the infrastructure and the hosting environment where you have your applications and resources, checking in on AWS’ compliance is all that you have to do. We hear the comment all the time, “Well, all of our cardholder data environment is located in the cloud, so therefore, those are the only physical security requirements that we have to be concerned with.” That’s just simply not true.
You have to think about where your people are located who are accessing the AWS environment. You have to think about the processes that you are engaged in. Maybe you have a chargeback process that is occurring somewhere else or you have other steps that you go through in supporting your customers and handling their data that is outside of the cloud. You do have to evaluate those things and understand where the scope leads you in terms of your PCI cardholder data environment. In many cases, it does bleed outside of AWS’s responsibilities, so it’s very important that you take responsibility for that and understand where the risk lies. Not only should you evaluate AWS’s attestation of compliance, but you should take a careful look at your scope and think about what it is that does or does not remove your office from scope or your employee’s home or your employee when they’re traveling, their laptops, any other systems that are connected to administrative systems that are providing IT or other support services. It could be very true that the physical security requirements in PCI Requirement 9 should apply to some of your local experiences that you have within your organization.
Related Videos
PCI Requirement 9 – Restrict Physical Access to Cardholder Data.mp4
PCI Requirement 9.1 – Use Facility Entry Controls to Limit Physical Access to CDE
PCI Requirement 9.1.1 – Use Video Cameras or Access Control Mechanisms to Monitor Physical Access
PCI Requirement 9.1.2 – Implement Physical Controls to Restrict Access to Accessible Network Jacks
PCI Requirement 9.1.3 – Restrict Physical Access to Wireless Access Points
PCI Requirement 9.2 – Develop Procedures to Easily Distinguish Between Onsite Personnel and Visitors
PCI Requirement 9.3 – Control Physical Access for Onsite Personnel to Sensitive Areas
PCI Requirement 9.4 – Implement Procedures to Identify and Authorize Visitors
PCI Requirement 9.4.1 – Visitors are Authorized Before Entering, and Escorted at all Times
PCI Requirement 9.4.2 – Visitors are Identified and Given a Badge that Expires
PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge Before Leaving the Facility
PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity
PCI Requirement 9.5 – Physically Secure all Media
PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security
PCI Requirement 9.6 – Maintain Control Over the InternalExternal Distribution of Any Kind of Media
PCI Requirement 9.6.1 – Classify Media so the Sensitivity of the Data Can Be Determined
PCI Requirement 9.6.2 – Send the Media by Secured Courier
PCI Requirement 9.6.3 – Ensure Management Approves All Media Moved from a Secured Area
PCI Requirement 9.7 – Maintain Strict Control Over the Storage and Accessibility of Media
PCI Requirement 9.7.1 – Properly Maintain Inventory Logs of All Media
PCI Requirement 9.8 – Destroy Media When it is no Longer Needed
PCI Requirement 9.8.1 – Shred Hard-Copy Materials so CHD Cannot be Reconstructed
PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable
PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction
PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices
PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution
PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering of Devices
Physical Security Responsibilities for AWS
Physical Security Threats for AWS
SOC 2 Academy: Disposing of Physical Devices
SOC 2 Academy: Physical Security Controls
