PCI compliance in Kubernetes environments

Build and maintain secure applications to protect cardholder data and achieve PCI compliance

Download Guide


The Payment Card Industry Data Security Standard (PCI-DSS) is a global standard for protecting payment card data and outlines the minimum security requirements for cardholder data. PCI DSS applies to all system components within or attached to the cardholder data environment (CDE). The CDE can be broadly defined as all the people, processes, and technologies that store, process, or transmit cardholder data.

The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical areas relating to handling of payment card data in the CDE. PCI DSS comprises 12 general requirements intended to achieve six primary goals.

  1. Build and maintain a secure networks system

1 - Install and maintain a firewall configuration to protect cardholder data

2 - Do not use vendor-supplied defaults for system passwords and other security parameters

  1. Protect cardholder data

3 - Protect stored cardholder data

4 - Encrypt transmission of cardholder data cross open, public networks

  1. Maintain a vulnerability management program

5 - Protect all systems against malware and exploits, and regularly update anti-virus software or programs

6 - Develop and maintain secure systems and applications

  1. Implement strong access control measures

7 - Restrict access to cardholder data by business based on need-to-know

8 - Identify and authenticate access to system components

9 - Restrict physical access to cardholder data

  1. Regularly monitor and test networks

10 - Track and monitor all access to network resources and cardholder data

11 - Regularly test security systems and processes

  1. Maintain an information security policy

12 - Maintain a policy that addresses information security for all personnel

Compliance challenges

Containers are small, self-contained packages of application code and resources, isolated from one another on the underlying host machine. This architecture lends itself very well to upholding the principle of least privilege in that these smaller, more easily composable software building blocks minimize exposure to attack. However, containers and Kubernetes introduce several security use cases relevant to the security standards outlined by PCI.

Containers run on an underlying host and operating system. If an attacker successfully compromises the host OS, the containers running on top may be compromised or killed. Unlike with virtualization, containers include no hypervisor to isolate the host OS from a guest OS.

Additional risks include:

The risk from vulnerabilities in images, running deployments, and Kubernetes

Containers are built from images, and if a deployment is running a container built from a vulnerable image, it could lead to a cluster compromise. Even “clean” images may be vulnerable by the time of deployment into a production environment. Kubernetes itself has also been known to contain serious vulnerabilities.

The risk from misconfigurations

Configurable elements include Kubenetes Role-Based Access Control (RBAC), runtime privileges, network settings, secrets usage, and others.

Achieving PCI compliance with StackRox

The StackRox Kubernetes Security Platform protects cloud-native applications across the entire container life cycle. The platform discovers your full Kubernetes environment, ensures assets comply with industry regulations, best practices, and security policies, and identifies and stops malicious actors. StackRox provides unique capabilities to make a Kubernetes environment PCI DSS compliant. These features include:

  • Automated vulnerability scanning during image build and runtime with comprehensive CI/CD integration
  • Real-time network diagram indicating authorized and unauthorized data flows between containers in the CDE and to/from the CDE to external networks
  • Automated response capabilities to shut down containers that are violating policy
  • Support for only one function per container. StackRox’s multi-factor risk profiling is designed to uncover risky behaviors such as running multiple functions per container or orchestrator deployment
  • Minimizing functionality and flagging new container functionality to enforce drift prevention. StackRox uses introspection technology to identify new functionality, providing actionable guidance to security operators to quickly detect any unnecessary processes, files, and packages
  • Going beyond AV and anti-malware. StackRox uses machine learning, advanced risk profiling, and attack detection (i.e., foothold, persistence, privilege escalation, movement, and objectives) with corresponding response to detect malicious activity

Download Guide: PCI Compliance in Kubernetes Environment

Download Now