It’s Time for a PCI Compliance Overhaul
The Payment Card Industry Data Security Standard (PCI DSS) dates back to the late 1990s, beginning in 1999 when Visa decided it had to take action against its losses in credit card fraud, which had reached $750 million. Visa’s solution was to create the Cardholder Information Security Program (CISP), and the company became the first brand to form a set of security standards for organizations conducting online transactions. Over the next five years, other credit card companies struggled to meet Visa’s standards and enforce unified security policies. Tensions rose and online revenues continued to suffer t due to instances of fraud, which were up to $1.5 billion.
Fast forward five years to December 15, 2004. This date probably doesn’t ring any bells in the minds of everyday consumers, but for merchants, it was a significant day in terms of security and compliance. On this day, PCI DSS 1.0 debuted as the first security standard accepted by the top five credit card brands, who banded together to make it mandatory for merchants and companies in the payment processing ecosystem. Two years later, Visa, MasterCard, JCB, Discover and American Express launched the Payment Card Industry Security Standards Council (PCI SSC). Its purpose was to oversee the Payment Card Industry (PCI) security standards and better secure the transaction process for all companies that accept, transmit or store cardholder data.
Not much has changed since the PCI standards were first introduced more than a decade ago. The standards were originally written for a world that was much more static and manually operated with servers that needed to be configured in order to secure information. PCI standards haven’t adapted to today’s evolving technology — one technology in particular being containerization. With 25% of enterprises using containers, the technology is gaining popularity among developers as a way to help build, ship and deploy applications quickly and effectively. Containerization is a dynamic technology and one that allows developers to create and update their infrastructure and applications on a frequent basis. But the current PCI standards do not include a clear, authoritative voice on how to approach containerization, and as more organizations integrate the technology into their development teams, the need for prescriptive guidance on implementing PCI standards in container environments continues to grow.. So what does this mean for merchants?
It’s critical that merchants who utilize containers have a proper understanding of how to achieve and maintain PCI compliance. Luckily, there are certain processes and strategies developers can take and ensure compliance is achieved in a containerized environment:
-
Enforcement tools: A tool that monitors for PCI Compliance is great, but a tool that monitors and actively enforces the standards is even better. Security teams should ensure they have a tool that will prevent them from inadvertently deploying a feature that does not meet PCI compliance. Instead of scanning and alerting on problems after an app has been deployed, the enforcement tools should help establish and enforce baseline requirements on every deployment, helping organizations stay in front of the challenge — and protect themselves and their company.
-
Integrate security from the start: In order to obtain compliance in containerized environments, it’s crucial that developers integrate compliance and security from the beginning of the development lifecycle. This is particularly important for containerized environments because with containers, developers are unable to update and reconfigure in production. The artifact remains the same in development as it does in production, so the compliance profile and security standards must be enforced from the beginning of development, in order to address any problems early on. Specifically, developers should integrate with tools in the build pipeline, such continuous integration and continuous delivery tools.
-
Orchestration is key: When developers are getting ready to deploy their container workload, they should make it a priority to incorporate an orchestration tool. Orchestration tools will allow the deployment process to work rapidly and efficiently. The tools should also be able to work across hundred or thousands of machines, rather than just a few, to provide necessary automation. These orchestration tools also provide developers with control at the environment level, rather than the individual container/pod/node level, which would be too difficult to secure.
While the PCI DSS remains focused on traditional infrastructure and operational models, with the proper guidance, developers and merchants will be able to achieve and maintain PCI compliance in a containerized environment. While the strategies above are a good start, Twistlock offers a PCI Compliance Guide created specifically for developers working with containerized workloads. Check it out here.