23 January 2017

Complying with PCI database requirements in Laravel on AWS

Image: pexels.com
I'm busy with the self assessment questionnaire for PCI compliance.  Part of the database requirements are that cardholder data are encrypted at rest as well as in transit.

I host with Amazon RDS and use Laravel so my life is made pretty easy.

Amazon RDS natively supports encrypted connections and also lets you create a database that is stored on an encrypted backing instance.  If you've enabled this option then all that you need to do is make sure that you connect to the database using an encrypted connection.

I'm not getting paid anything for saying that I really enjoy using RDS, but today is another occasion when I'm really happy that I didn't have to sit and install certificates and fiddle with a cluster configuration to enable SSL connections.  The "zero config" that comes with RDS saves time and money.

Laravel was really easy to configure to use SSL.  All that you need to do is download the RDS certificate chain from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem and amend your database configuration to use it when connecting.

I saved the pem file into storage/app/mysql_ssl_certificate and then amended my app/database.php to look like this:

Now I can use a command like var_dump(DB::select(DB::raw("SHOW STATUS LIKE 'SSL_CIPHER'"))); to check that I'm connected with SSL.

I also decided that although PCI compliance doesn't actually demand that you encrypt the data in the database I would rather take the performance hit and protect my user details.  I don't use them terribly often so the overhead of decrypting them when I do seems worth the effort to avoid the reputational damage my company would suffer if it leaked user details.

Again this is very easy to accomplish with Laravel.  I just implemented a trait which I can selectively apply to any of my entities that I want to protect.  So now if the application is breached and nasty people run off with my database at least they'll need to have the application key if they hope to read my users details.


Tip