Aiming for the One-click Buy
Several studies recommend eCommerce companies to store customer’s payment and shipping information on their servers. With this data, eCommerces can deliver a “one-click buy” user experience, or very close to it.
This approach has a relevant impact at a business level, achieving extremely high conversion rates from its existing customers. The one-click buy simplifies the complexity of online ordering, especially when you want to facilitate the completion of these transactions on mobile devices.
To legally implement the desired one-click buy, your e-Commerce must be PCI compliant.
At CAPSiDE we have already helped our clients to certificate their eCommerce sites.
Assessing alternatives to PCI Compliance in AWS
To certificate many of the security aspects required for the PCI Compliance, companies normally go for license-based tools with associated additional costs. When working on AWS environments, these tools are not the best solution, because they don’t allow customization, configuration or parameterisation of many aspects of the integration.
Within an Amazon Web Services Account scope, we cannot enclose which are the specific systems to be monitored for certification. So, any integration with third-party software has a high impact in all the services existing under the same AWS Account. The tools that are normally used as potential alternatives for PCI Compliance certification are trite for infrastructures designed with auto-scaling groups (ASG), as all instances, creation and destruction are dynamic in order to adapt to the real demand of the infrastructure (for example, in sales periods).
Our SysArchitects engineers designed a solution, with an additional layer of intelligence, that fulfils all the required and relevant aspects, as timestamps and event traceability both at app and platform levels, for the PCI Compliance audit.
CAPSiDE’s solution
CAPSiDE designed and implemented some proofs of concept to determine the best solution for our client’s project. The use of AWS Config substituted other commonly used third-party tools, and our team developed event-triggered tasks to evaluate CloudWatch Events. However, these first PoCs were not sufficiently flexible approaches to substitute other widely used tools. So, after the viability evaluation of other different technologies, our team designed a brand new solution, including:
- AWS CloudTrail detailed analysis
- Event monitoring with CloudWatch to match events
- Code execution using AWS Lambda to process AWS events
With this solution, they are able to get metrics and event traceability, and therefore they can audit for:
- platform intrusions
- attempts to change permits in files
- attempts to change system and application logs
- failed authentication attempts and retries
- changes in CloudTrail configuration
- changes in instances
- changes in AWs Security Groups policies
- etc.
Contact us if you want to know more about this solution and how can we help your e-commerce to be PCI compliant.
TAGS: aws, cloudtrail, Lambda, one-click buy, pci compliance
Comments
We’re a little confused with the PCI subject regarding it’s compliance in AWS Lambda & DynamoDB.
Are these services compliant?
Do you offer services to develop a gateway using these services and the above mentioned metrics & logs to achieve a server-less compliant service?
Let us know if we’re on track or our comment is not relevant to this post.