PCI Security Standards Council has published a new Information Supplement: Guidance for Containers and Container Orchestration Tools. This document was produced by the 2021 Special Interest Group (SIG), the members of which provided their expertise and shared experience for applying best practices to containers and container orchestration tools for payment systems.
Organizations are increasingly adopting container technology to scale, secure, and rapidly deploy the applications used in their payment systems. While employing containers and container orchestration tools may be beneficial in terms of cost, performance, manageability, and security over traditional hardware-based deployment models, use of containers and container orchestration tools is not without security risks. The secure implementation and use of containerization technology is dependent on secure implementation using a set of industry accepted best practices. This document provides guidance on best practices to consider when securing containers and container orchestration tools by providing:
- Background information on containers and container orchestration tools necessary for understanding the application of best practices.
- Identification of some of the threats that may be directed at containers and container orchestration tools in a payment system.
- Security best practices that may be employed to address the threats posed to these systems.
- Use case-based examples of some of the threats, and the use of the best practices to address those threats.
Read the informational supplement here.
This information supplement resulted from a PCI SSC Special Interest Group. Special Interest Groups (SIGs) are community-driven initiatives that focus on payment security challenges related to PCI Security Standards. SIGs promote collaboration between industry representatives, subject matter experts, the Council, and the Participating Payment Brands to allow the development of practical payment security resources.
*Note: The guidance document is intended for use by merchants, service providers, and assessors to provide entities with background knowledge, actionable guidance, and practical examples to assist in securing containerized systems against common threats. The guidance provided in this document is supplemental and does not supersede or replace any PCI standards requirements.
Also on the blog: PCI SSC Announces 2021 Special Interest Group Election Results