Containers and PCI DSS: 10 requirements financial services must follow
For financial services businesses 1) under the purview of the Payment Card Industry Data Security Standard (PCI DSS) and 2) now taking advantage of container-based microservices architectures, ensuring PCI DSS compliance requires particularly specialised security and governance measures to prevent cardholder data breaches.
Fortunately, many of the isolation and protection measures PCI DSS calls for are a natural fit for container technology. For example, PCI DSS requires separate servers each responsible for implementing just a single primary function – a rule congruent with optimal microservices architectures in which each container provides a single function. Similarly, PCI DSS demands services and protocols only be enabled if absolutely necessary, paralleling the narrow functionality-by-design intrinsic to containers.
However, PCI DSS necessitates using network segmentation to limit the scope of the Cardholder Data Environment (CDE), and for close monitoring and security controls. These requirements can present a challenge to financial services now leveraging containers. By their nature, containers are rapidly and dynamically created to serve their purpose; runtimes typically last just minutes. Additionally, the majority of container traffic occurs as internal “east-west” communications among containers.
Due to these factors, traditional security solutions and firewalls intended for defending systems from threats arriving via external traffic are completely ineffective in thwarting an attack coming from inside of the containerised environment. For security and monitoring tools to successfully protect these environments, they must be capable of reacting to evolving attacks in real-time.
Leveraging containers can grow the size of the CDE as well, requiring protections to cover the entirety of microservices environments. While it’s tempting to address this issue by physically separating out a container environment that’s within the CDE scope, this approach eliminates many of the advantages of automated DevOps CI/CD pipelines. That route will ultimately slow release cycles and reduce resource optimisation. The stronger approach is to utilise a cloud-native container firewall strategy with the capabilities to fully visualise (and precisely control) the CDE scope while delivering secure network segmentation without tradeoffs.
For financial services businesses now committed to (or planning a migration to) microservices and containers, here are the 10 PCI DSS compliance requirements that must be observed (and how best to do it):
#1: PCI DSS 1.2, 1.3 – Protect cardholder data with an effective firewall
PCI DSS requires every connection linking the CDE with outside networks to be identified on a network diagram. The flow of all cardholder data must be diagramed as well, and the diagram must be kept current. It’s also necessary to implement a firewall that blocks direct public access to the CDE, and fully segments in-scope CDE traffic from all unrequired connections.
As mentioned, traditional firewalls fall well short of PCI DSS compliance when applied to container environments and cloud-native applications. The correct strategy is to introduce a container firewall built for the environment it protects: one with the ability to discover, monitor, and secure all containers and traffic automatically and in real-time. The firewall also needs to enforce micro-segmentation to separate CDE workloads from others, and have policies preventing any unsecure internal and external connections to the CDE.
Pay special attention to how firewall rules are configured, displayed, and reported for auditing purposes. Ideally, Security Policy as Code should be used in the form of Kubernetes custom resource definitions (CRDs) which automated and version control these rules.
#2: PCI DSS 2.1 – Change all default vendor passwords and accounts, harden systems, and encrypt admin access
PCI DSS disallows the use of vulnerable security defaults while requiring system-hardening practices in-line with industry standards, strong encryption on non-console admin access, and a well-maintained inventory of all components subject to PCI DSS compliance.
Those with container environments can get assistance in meeting these requirements by running Docker Bench for Security or Kubernetes CIS Benchmarks. These tools offer reports that detect and alert the business to any defaults requiring removal, system hardening needs, or other issues needed to meet secure standards. Encryption tools should be implemented as well, and paired with solutions able to recognise and prevent any unencrypted traffic from connecting to the CDE. Host and container security parameters should also be verified using customised compliance checks.
#3: PCI DSS 3.1-3.7 – Encrypt and restrict access to cardholder data
PCI DSS-compliant businesses must encrypt cardholder data itself with strong cryptographic keys, and control access to those keys though robust and carefully documented procedures and restrictions. Container orchestration platforms like Kubernetes, Docker EE, Red Hat OpenShift, and others offer key and secrets management tools well-suited to meeting these requirements.
A container firewall can ensure that only encrypted connections to web front-end containers or internal access is encrypted. For greater cardholder data security, data loss prevention (DLP) monitoring tools can be used to oversee container environments and detect any cardholder data that isn’t encrypted.
#4: PCI DSS 4.1 – Encrypt cardholder data in transmission over open public networks.
PCI DSS requires businesses to secure all cardholder data transmitted over open networks by using robust cryptography and security protocols. Businesses must also only accept keys and certificates that verify their trust, restrict protocols to support secure versions or configurations only, and prevent unprotected primary account numbers (PANs) from being transmitted over email, instant messaging, SMS, chat, or any other common messaging technology.
For businesses utilising containers, these requirements call for implementing a container firewall to block any connections that are unencrypted or unauthorised (such as connections from common messaging technologies), while whitelisting secure SSL/TLS connections automatically. Leveraging DLP monitoring of network transmissions offers the advanced ability to detect unencrypted cardholder transmissions and continually verify compliance. DLP inspection can also detect unauthorised breaches of cardholder data even in encrypted transmissions by inspected the network payload before it is encrypted and sent externally.
#5: PCI DSS 5.1, 5.2 – Implement anti-virus protections
PCI DSS requires that PCs, servers, and all other systems at risk from malware and viruses must have anti-virus solutions in place. Further, the anti-virus solutions need to be up-to-date, active, and secured such that they can only be disabled or altered with authorisation (and only for specific limited purposes).
Financial services organisations using containers should leverage orchestration tools to continuously guarantee that security measures are active. Container firewalls able to detect any file system activity that raises suspicion – while virtually patching systems and keeping them updated – are advisable. Additionally, cloud-native environments are increasingly adopting “zero-trust” declarative security that characterises and locks in the expected behavior of applications, increasing the accuracy of anomaly detection and run-time security. These whitelist-based protections are replacing traditional signature-based scanning systems that are quickly out of date and have high false positives.
#6: PCI DSS 6.1-6.7 – Build and maintain secure systems and applications
PCI DSS requires that every system and application in the CDE scope is carefully secured throughout development as well as in production. All identified vulnerabilities and security updates must be attentively addressed, and change control processes and procedure rules must be in place and adhered to.
Businesses with container environments must implement security measures that span the full build-ship-run application lifecycle. To do so, integrate container security throughout each and every stage of the CI/CD pipeline.
#7: PCI DSS 7.1-7.3 – Ensure that access to cardholder data is need-to-know only
Only financial services employees who require cardholder data to complete their work should have access to cardholder data – no one else. Implementing effective access control systems to enforce those restrictions is a PCI DSS requirement.
The role-based access controls (RBACs) available with Kubernetes, OpenShift and other orchestration tools facilitate meeting this requirement, as do LDAP, Active Directory (AD), and other enterprise application protocols. Note that security and DevOps teams responsible for monitoring and safeguarding container environments should never have access to view actual cardholder data.
#8: PCI DSS 8.1-8.8 – Authenticate all users accessing the CDE
PCI DSS requires robust user identification management, which must feature unique IDs and multi-factor authentication protecting all individual CDE access. Businesses can implement these safeguards for container environments through RBACs, enterprise LDAP or AD, or other protocols like SAML, SSO, or OAuth.
#9: PCI DSS 10.1-10.9 – Monitor all access to cardholder data and network resources
In PCI DSS compliant environments, audit trails must be available that track and specifically detail all system access events and related user actions. The security of audit trails is crucial as well: they must be protected from any possible alterations, and must be reviewed regularly to check for dangerous activities or anomalies.
In containerised environments, these measures should be introduced using security systems featuring appropriate event logging capabilities that include event reconstruction and SIEM system compatibility.
#10: PCI DSS 11.1-11.6 – Test security systems and processes regularly
As part of PCI DSS compliance, financial services businesses must perform network vulnerability scanning at least every quarter, and then again in the aftermath of any significant alterations to the network. Traffic must be monitored along the network perimeter and within the CDE at key points, and protected with network intrusion detection and prevention safeguards. Compliance requires that change detection is in place and delivering alerts if any unauthorised changes to critical files occur. A container firewall should be present that performs active vulnerability and threat scanning of external and internal traffic, and is able to detect and respond to intrusions or anomalies automatically.
Ensuring PCI DSS-compliant container environments means taking a careful approach to fulfilling each of the above requirements. By implementing security strategies appropriate to the environment, financial services businesses can realise the full benefits of container and microservices modernisation, while still serving as trustworthy caretakers of cardholder data.