If your application integrates or handles credit card processing, it's a good idea to ensure your network meets PCI DSS standards.
The Payment Card Industry Data Security Standard is a proprietary information security standard administered by the PCI Security Standards Council which is an organisation founded by American Express, Visa, Mastercard, Discover and JCB International. The standards outlines by the PCI DSS should be adopted by anyone that stores, processes or transmits card holder data or authentication data which would typically be merchants, processors, acquirers, issuers and payment service providers.
If you are handling transactions where the major credit card providers are in use, then they will expect you to be PCI compliant.
Hosting your application on AWS is a good head-start given that AWS is certified as PCI DSS Level 1 service provider. AWS PCi Compliant services include:
You still need to make sure you have PCI DSS requirements covered which include:
- Install and maintain a firewall in front of cardholder data
- Change vendor provided default security and system passwords
- Encrypt cardholder data in transit and at rest
- Protect against malware and keep anti-virus software up to date
- Develop secure systems
- Restrict data access to cardholder information internally
- Restrict and authenticate access to key system components
- Track and monitor access to your network
So as a customer who uses AWS to store, process or transmit cardholder data you have a solid base as you manage your own PCI DSS compliance.
AWS however does not automatically have everything covered. The shared responsibility model you enter into when using AWS services means they provide the mechanisms to perform forensic investigations when things go wrong, but it is ultimately your responsibility to prove your systems are up to scratch.
That's where an AWS PCI diagrams comes into play. Or more specifically the diagrams auto-generated by Hava.
Because the network topology diagrams created by Hava are auto generated and cannot be edited (without exporting diagrams out of the platform) they can be relied on as a source of truth. The diagrams reflect exactly what is running now, and probably more usefully show what was running at any point in time when you investigate the diagrams stored in version history.
As changes are detected in your AWS configuration, Hava generates a new diagram set and places the superseded diagrams into version history. The historical diagrams are fully interactive, so you can investigate all the metadata related to anything on the diagram.
As well as proving the existence of key security components like firewalls and data encryption, Hava provides other key security detail on the security view diagram: