While PCI DSS isn’t new, how those requirements are applied in serverless deployments, is. For instance, if you have an application that leverages payment card details and using AWS Lambda, how you secure the application, needs to be re-evaluated. Whether it is how you think about application firewalls and how they are configured in accordance with requirement 1, restricting access to data under requirement 7, or IAM protocols under requirement 2, all need to be re-accessed, because, with serverless, the function’s code is everything. So how does one know if their application adheres to PCI compliance; how can they ensure that it secure?
If it has been said once, it has been said a thousand times if not more, serverless by its very nature, if configured properly, can leave organizations more secure then their other cloud counterparts. That is simply because of the micro nature of the application in hundreds of thousands of codes. But again, the right restrictions and approaches need to be applied at the code-level, which takes time if there is no automation. When done right, developers not only have a highly secure application but one that does not jeopardize their organization’s compliance posture.
Here are a few helpful pointers for those within the scope of PCI DSS with serverless deployments in regards to several requirements:
The point is, organizations can take full advantage of all the benefits serverless provides without impacting their PCI DSS compliance posture- they just need to evaluate their approach.
For more information on PCI Compliance as it pertains to serverless applications, download a free copy of the compliance ebook here.