PCI Compliance for Containers and the Cloud
The Payment Card Industry Data Security Standard – also known as PCI DSS, or sometimes just PCI – originated in 2004, long before most people were thinking about containers and the cloud.
But just because PCI controls predate modern technology doesn’t mean they don’t apply to it. On the contrary, ensuring that containers and cloud services are deployed in a PCI-compliant fashion is critical for any business that is subject to PCI rules – which, in general, means any business that deals with credit card transaction data in any way.
This article explains everything you need to know to ensure that your container- and cloud-based workloads meet PCI DSS compliance rules. It explains what PCI compliance means, where it applies, and how to design cloud-native workloads in ways that align with PCI requirements.
What Is PCI Compliance?
PCI compliance refers to a set of rules established by major credit card companies to govern data associated with credit card payment transactions. It’s overseen by the Payment Card Industry Security Standards Council, an independent industry organization that oversees the PCI compliance framework and updates it periodically.
The current version of the PCI DSS rules, which were last updated in May 2018, is version 3.2. However, a major overhaul of the framework is expected to arrive in 2022 in the form of PCI DSS 4.0. The official PCI DSS documents are available from the PCI Security Standards Council library.
Who Has to Follow PCI Compliance Requirements?
Unlike many other compliance requirements, PCI doesn’t apply only to companies of a certain size or those that manage a certain amount of relevant data. It’s also not limited to certain types of technology or political jurisdictions.
Thus, if your business manages credit card transactions or the data associated with them in any way, the PCI rules apply to you. It doesn’t matter where your business is based, how large your business is, or which types of workloads you run. If credit card transactions or data touch your systems in any way, you need to follow PCI compliance requirements.
Failure to adhere to PCI rules results in non-compliance fees and fines, which are assessed by individual credit card companies. Fines vary, but they can be very steep: major security breaches may result in compliance fines of $500,000 or more.
It’s worth noting that, because many of the PCI requirements overlap with those of regulatory compliance rules (like GDPR and CPRA), failure to follow the PCI requirements could lead to trouble with government regulatory authorities, too. Thus, although PCI DSS is itself designed and administered by an industry group rather than a government agency, it bears important implications for businesses that are subject to government compliance mandates, too.
What Are the PCI Compliance Rules?
Although the various versions of PCI DSS vary somewhat in their requirements, they boil down to a core set of rules that businesses are required to follow when designing, implementing, and managing systems that play a role in processing credit card transactions.
The major PCI rules include:
- Network security: Businesses must plan and enforce network security defenses.
- Data security: Sensitive data associated with credit card transactions – including not just credit card numbers but also cardholder data like names and addresses – must be stored in a secure way.
- Vulnerability management: Businesses must design and follow rules for detecting and addressing security issues across all layers of their environments.
- Testing and auditing: Security tests and audits must be performed regularly.
- Access control: Access controls must be in place across all IT resources to mitigate the risk of unauthorized access to sensitive data and systems. Access controls must also be in place for physical systems.
- Security policies: Businesses must establish security policies that apply to their internal teams, as well as to any contractors or vendors they work with.
PCI DSS, Containers, and the Cloud
The PCI requirements are designed to be broad and applicable to any type of technology or IT environment. They don’t mention containers or cloud environments, let alone make specific recommendations about how containers or cloud resources should be configured in order to meet PCI compliance rules.
Instead, responsibility for interpreting the PCI rules in the context of container- or cloud-based environments lies with businesses. And while the exact nature of PCI compliance efforts will vary depending on what your containerized or cloud environment looks like, the following are key best practices to bear in mind when managing applications or infrastructure that include containers or the cloud.
Container PCI Compliance
In some respects, containers simplify PCI compliance because they isolate workloads from each other, which helps meet some of the PCI compliance rules associated with network security and access control.
That doesn’t mean, however, that simply deploying workloads inside containers ensures PCI compliance. On the contrary, you’ll want to take a variety of additional steps to prevent PCI-related compliance problems when running containers:
- Network isolation: Isolate each container from accessing resources on the network unless it specifically needs to access them. You can enforce network isolation using network policies in Kubernetes (if you use Kubernetes), or via iptables or another OS-level firewall framework.
- Container access control: Each container should only be able to access the external processes, storage, and other resources it strictly requires. Prevent containers from running in privileged mode, and take full advantage of frameworks like Kubernetes RBAC and security contexts to lock down your containers.
- Host access control: Be sure, too, to enforce strong access controls within the operating systems of the servers that host your containers. The way you do this will depend on the specific OS you use and how your servers are designed. But in general, you’ll want to do things like disable unnecessary user accounts, block SSH access from the public Internet, and close unnecessary open ports.
- Container security updates: To meet PCI vulnerability management rules, make sure that your container orchestrator, runtime, and host operating systems are up-to-date.
- Container image scanning: Scan your container images prior to deployment to detect malware or insecure components.
- Container security monitoring: Monitor your containerized application environment for signs of breaches in real time.
- Container environment auditing: Perform audits on a regular basis (such as every quarter – or, even better, continuously) to detect and address insecure configurations. Resources like the Kubernetes auditing framework are helpful for this task, as are strategies like auditing the IaC templates you use to provision your clusters.
- Establish container governance rules: Create security and governance rules that define how your teams can use container environments. For example, determine which workloads are allowed to share a namespace and which procedures to follow when publishing container images to a registry.
Cloud PCI Compliance
Cloud PCI compliance is a little complicated due to the shared responsibility model under which public cloud providers operate. Shared responsibility implies that cloud providers are responsible for meeting some PCI compliance rules, such as ensuring physical security for their data centers and auditing their backend infrastructure for security issues.
However, beyond ensuring that your cloud provider meets basic PCI compliance rules (and all of the major cloud providers do), the bulk of the responsibility for cloud PCI compliance lies with businesses that use the cloud. In this regard, you’ll want to adhere to these practices:
- Use cloud IAM: Enforce granular access control using your cloud providers’ Identity and Access Control (IAM) framework. IAM policies should enforce the principle of least privilege, which means that each user and resource can access only the specific resources it requires.
- IAM auditing: Automatically scan your IAM templates to detect misconfigurations that could create security issues.
- Cloud network isolation: Using tools like cloud VPCs, isolate workloads within your cloud environment at the network level.
- Cloud storage access control: Use IAM policies to prevent unauthorized access to data stored in the cloud.
- Cloud data discovery: Consider using cloud data loss prevention tools to help you discover sensitive data within your cloud storage buckets, databases, and file systems. These tools can detect data such as credit card numbers in locations where you may not realize it’s being stored.
- Cloud auditing: Perform regular or continuous audits of your cloud environment to identify misconfigurations that may lead to security breaches. Some cloud vendors offer native auditing services for this purpose, but you may find it more convenient to use a third-party solution that can audit multiple cloud environments (or cloud environments and on-prem environments) at once.
- Cloud governance: Establish governance policies to control how your business provisions workloads in the cloud. Address questions such as: Which employees can create which types of cloud resources? When can employees or teams share a cloud account, and when should workloads run under separate accounts? Which tagging policies do users need to follow when creating workloads to minimize the risk that cloud resources will be spun up and then forgotten (which not only wastes money but also increases security risks because unmonitored cloud resources are ripe for attack)?
PCI DSS is a complex topic, and there is no one simple rule to follow to ensure PCI compliance for containers and cloud-based workloads. Every business’s approach to PCI compliance will be unique.
In general, however, PCI compliance for containers and the cloud boils down to two simple concepts. First, you need to use the tools available to you – like Kubernetes RBAC tooling and cloud IAM frameworks – to ensure that your workloads are as secure as possible from the start. Next, you must deploy security monitoring and auditing tools to detect security issues that arise within your environments despite your careful planning.
By taking steps to create environments that are secure by default while also monitoring continuously for vulnerabilities, you maximize your ability to comply with PCI’s various mandates surrounding network and data security, vulnerability management, access controls, and auditing.