Intro
EFTLab, a leading financial technology company, sought to adapt its existing infrastructure to meet the stringent requirements of the Payment Card Industry Data Security Standard (PCI DSS). Facing challenges in securing cardholder data and ensuring compliance, EFTLab partnered with us to leverage Amazon Web Services (AWS). By implementing a comprehensive AWS solution, EFTLab achieved PCI DSS compliance, enhanced security, and operational efficiency, thereby reinforcing trust with its clients.
Objective
Objective
- ● Achieve PCI DSS Compliance: Adapt existing infrastructure to meet PCI DSS requirements for handling sensitive payment card information.
- ● Enhance Security: Implement robust security measures to protect cardholder data and prevent unauthorized access.
- ● Implement Multi-Account Strategy: Restructure AWS accounts to isolate environments and restrict developer access to sensitive data.
- ● Improve Monitoring and Logging: Ensure comprehensive tracking of all access to network resources and cardholder data.
- ● Utilize AWS Best Practices: Leverage AWS services and the Shared Responsibility Model to meet compliance standards.
Solution
1. Multi-Account Architecture with AWS Control Tower
- ● AWS Organizations: Implemented AWS Organizations to manage multiple AWS accounts under a single organization.
- Account Segmentation: Created separate accounts for production, development, and staging environments to isolate resources and data.
- ● AWS Control Tower: Utilized AWS Control Tower for automated account provisioning and governance.
- ● Security Organizational Unit (OU): Established dedicated accounts for security functions, including log archiving and auditing.
2. Data Protection with AWS RDS and Secrets Manager
- ● Amazon RDS with Encryption: Deployed Amazon RDS databases with encryption at rest using AWS KMS-managed keys.
- ● TLS Enforcement: Configured TLS to encrypt data in transit between applications and databases.
- ● AWS Secrets Manager: Managed database credentials and enforced password rotation policies to comply with PCI DSS requirements.
3. Enhanced Security and Compliance Services
- ● AWS Identity and Access Management (IAM): Implemented strict IAM roles, policies, and multi-factor authentication (MFA) for all users.
- ● AWS Config: Used AWS Config to assess, audit, and evaluate the configurations of AWS resources, ensuring compliance with PCI DSS.
- ● AWS Security Hub: Enabled AWS Security Hub for centralized security monitoring and compliance checks against PCI DSS standards.
- ● AWS CloudTrail: Activated AWS CloudTrail to log all API calls and user activities for auditing purposes.
4. Network Security and Isolation
- ● Virtual Private Clouds (VPCs): Created VPCs with public and private subnets, implementing network segmentation to protect cardholder data.
- ● Security Groups and Network ACLs: Configured security groups and network access control lists (ACLs) to control inbound and outbound traffic.
- ● Firewall Configuration: Set up firewalls to protect the network perimeters and comply with PCI DSS requirements.
5. Monitoring and Logging
- ● Amazon CloudWatch: Employed Amazon CloudWatch for real-time monitoring of resources and applications.
- ● Log Aggregation: Centralized logging in a dedicated account for secure storage and analysis.
- ● Audit Trails: Maintained comprehensive audit trails for all access to network resources and cardholder data.
6. Identity and Authentication Controls
- ● Unique User IDs: Assigned unique IDs to each individual accessing system components.
- ● Password Policies: Enforced strong password policies, including complexity requirements and regular rotation.
- ● MFA Enforcement: Required multi-factor authentication for all access to sensitive environments.
Challenges
● PCI DSS Compliance: Ensuring all infrastructure components met the stringent PCI DSS requirements.
● Security Controls Implementation: Establishing robust security measures across a multi-account AWS environment.
● Access Management: Preventing unauthorized access by developers to sensitive environments and cardholder data.
● Comprehensive Monitoring: Implementing detailed logging and monitoring to track all access and changes.
Benefits
● Achieved PCI DSS Compliance: Successfully met all PCI DSS requirements, ensuring secure handling of cardholder data.
● Enhanced Security Posture: Strengthened security through AWS best practices and advanced security services.
● Isolated Environments: Improved security and compliance by isolating production environments from development and staging.
● Improved Monitoring and Logging: Enabled detailed tracking and auditing of all activities, enhancing accountability.
● Operational Efficiency: Leveraged AWS managed services to reduce operational overhead and focus on core business functions.
● Scalable and Flexible Infrastructure: Built a foundation that can adapt to future compliance requirements and business growth.
Conclusion
By leveraging AWS’s comprehensive suite of services and best practices, EFTLab successfully adapted its infrastructure to meet PCI DSS requirements. The implementation of a multi-account strategy, advanced security controls, and compliance services enabled EFTLab to enhance its security posture, achieve compliance, and maintain operational efficiency. This strategic move not only ensured the safeguarding of sensitive payment card information but also strengthened trust with their clients and positioned EFTLab for future growth.
Head of Professional services
Michal Režnický
DevOpsGroup and their specialists are very structured, organized and always ready for meetings. In this project we worked with Pavel Krajkovic, junior DevOps Architect. I really appreciate in Pavel Krajkovic’s calmness in explaining the infrastructure to a customer with little experience in this area. It is important to have strong communication skills when presenting a solution like this.
