Best Practices for PCI Compliance in a Container Environment

The PCI DSS compliance framework dates back to the mid-2000s, well before anyone was talking about containers.

This does not mean, however, that PCI compliance doesn’t affect you if you’re running a containerized environment. Although the PCI DSS framework doesn’t deal in specific detail with containers, a containerized infrastructure presents unique challenges that your organization must solve to remain PCI-compliant.

If you’re starting to sweat, worrying that your containers are not PCI-compliant, fear not. Keep reading for an overview of the best practices that you can follow to keep containerized environments PCI-compliant.

The PCI SSC Cloud Computing Guidelines, which were updated in April 2018, specifically reference Containers (Section E. 7), as well as the NIST SP 800-190, Application Container Security Guide, which Twistlock helped author.

Identify Affected Components

By their nature, containerized environments are composed of many moving parts. Their complexity is especially great if you have multiple microservices comprising your app.

It’s unlikely that all of the containers and microservices in your environment are relevant for PCI compliance. The PCI DSS framework generally applies only to components of your infrastructure or software that play a role in payment processing.

That means that the first and most basic best practice for meeting PCI compliance requirements in a containerized environment is to determine which parts of that environment you need to make compliant. They may include a database that stores payment information or a microservice that transfers payment data from a front-end application to a database, for example.

(When I tell you that the first step in PCI compliance for containers is to identify affected components, I am not, of course, suggesting that you can ignore security or reporting concerns for other environment components. You should secure your entire environment! But as far as PCI compliance and auditing are concerned, you likely do not need to worry about every container or every microservice.)

Establish Baselines

To identify security risks that could have compliance implications, as well as to create an audit trail, it’s important to establish a baseline for your containerized environment. By measuring activity against that baseline, you can detect anomalies.

The challenge here is that in many containerized environments, there is no “normal.” The environments change quickly all the time, so the configuration of a container or the size of your environment under safe conditions is not constant.

That does not mean, however, that you can’t do baselines for containers. You can, but you have to take an approach founded upon the idea of dynamic baselining. This means constantly monitoring your containers to determine how they are changing, updating the baseline accordingly and checking for unexplained outliers that could signal a breach.

Test Configurations Against Compliance Requirements

When it comes to determining which parts of your environment are compliant and which aren’t, you can’t rely on manual investigation to deliver the results you need. Instead, you must automate the process by performing compliance checks.

Compliance checks compare your actual environment and container configurations to those that are specified in compliance frameworks, such as those included in the CIS Benchmarks, and then report inconsistencies. For example, if you are running containers as root—a practice that most auditors would deem to be out of compliance with PCI DSS’s requirements involving disabling unnecessary access to sensitive components—platforms that check for these types of misconfigurations can notify you of noncompliance and pinpoint where the issue impacts a specific environment.

Secure Your Networks

Another particularly challenging characteristic of container environments is the fact that they tend to have so many internal and external network connections. Since securing services and protocols is a central requirement of PCI DSS, it’s important to ensure that all of those network connections (yes, even those used only for internal communication) are properly secured.

Intercontainer networking is software-defined, and can be opaque when you’re not using the right tools. Even so, the same basic network security principles still apply. Services should have a unique identity, and those identities should be validated when one service connects to another with something like mutual TLS. Traffic flowing over intercontainer connections should be encrypted. And you should implement and enforce policies that explicitly define how services can talk to each other to mitigate lateral movement by an attacker (for example, front-end container can talk to broker-container, but not directly to db-container). Tools such as Istio can help you enable these capabilities, but you still need to ensure you’re using strong configurations that are evenly and continuously enforced across your environment.

Don’t Forget the Orchestrator!

Container security and compliance doesn’t end with containers. You also need to ensure that you are monitoring and properly reporting on the security state of your orchestrator—whether that is Kubernetes, Swarm or an orchestrator provided by a cloud vendor.

If you can’t prove that your orchestrator remained secure, you can’t demonstrate that attackers did not take control of your container environment and the payment data moving through it.

Think Beyond Containers

Along similar lines, remember that your containers may interact with other parts of the infrastructure when processing payments. You might store data in a cloud-based database service, or you may use serverless functions to help process payments.

Whatever you do, ensure that you are securing and creating compliance reports for any part of the infrastructure that your containers interact with when handling payment data. In other words, even if you’re focused on PCI compliance for containers, don’t overlook the fact that compliance requirements don’t end with your containers themselves.

Further Reading

The PCI compliance best practices covered above represent only a sampling of what you should know about PCI compliance if you run containers. Reference materials such as Twistlock’s “Guide to PCI Compliance for Containers” can help answer any remaining questions and better shed light on ensuring containers are PCI-compliant.

John Morello

John Morello is the Chief Technology Officer at Twistlock. As CTO, John leads the work with strategic customers and partners and drives the product roadmap. Prior to Twistlock, John was the CISO of Albemarle, a Fortune 500 global chemical company. Before that, John spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and served as the Lead Architect of the hybrid cloud consulting team for the Americas. A self-proclaimed "public school guy," John is passionate about building out more modern curricula for cybersecurity. In fact, in May 2018 he established a Twistlock outpost at Lousiana State University’s Innovation Park in order to pay off this vision. John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he also serves as Chairman of the Coalition to Restore Coastal Louisiana.

John Morello has 3 posts and counting. See all posts by John Morello